FISMA's facelift focuses on four areas, for now

Tuesday - 5/25/2010, 6:43pm EDT

WFED's Jason Miller

Click to hear the report

Download mp3

WFED's Jason Miller

To hear part 2 of the interview with Matt Coose, director of DHS's Federal Network Security office, click below

Download mp3

By Jason Miller
Executive Editor
Federal News Radio

PHILADELPHIA -- The Office of Management and Budget announced new metrics for agencies to evaluate their cybersecurity posture in April. Now it's up to the departments of Homeland Security and Justice, the General Services Administration and the National Institute of Standards and Technology to make them a reality.

DHS is leading the development of the new measures for the Federal Information Security Management Act. Justice is providing the cyberscope tool that agencies will feed their network security into, NIST is developing new guidances around real time continuous monitoring and risk measurement and mitigation and the GSA soon will come out with a request for proposal for more advanced security tools.

All three of these initiatives are happening at one time.

Justice will hold an industry day in June to help vendors understand how the cyberscope tool will work. Matt Coose, the director of DHS's Federal Network Security office, says the announcement will be in FedBizOpps.gov.

Coose, who spoke at the Management of Change conference sponsored by IAC/ACT, says Justice will not be buying anything, but helping vendors better understand cyberscope's requirements.

"The purpose of that is to get out the schema to vendors that develop security management tools so they can figure out how to start feeding cyberscope these automated feeds," he says. "How do we conform to the schema, what needs to be done on the project development side and how can we help agencies meet the FISMA requirements."

NIST is updating several governmentwide publications around cybersecurity.

Marianne Swanson, NIST's senior advisor in the information system security division says her office will issue by the end of June a new draft continuous monitoring guidance. By July, NIST will give agencies and vendors a draft document on how best to manage risk in information systems, a draft of the new contingency planning guidance and a new draft on how best to manage a vendors' supply chain risk.

The continuous monitoring and the information systems risk management guidances will cover three broad areas at the organizational, mission and system levels, she says.

"Organization is at the policy level and asks how much risk can an organization tolerate?" Swanson says. "At the mission level, we are talking about tools, procedures, report gathering and other actions. And at the system level, it will be more typical of our guidance were we have focused for the last 10-15 years."

For its part, GSA will be issuing new RFPs for situational awareness and incident response (SAIR) tools in the coming weeks through its SmartBuy enterprise software program.

Coose says Tier 2 will include boundary or firewall protection tools, and Tier 3 is broad continuous monitoring tools allowing users to integrate data into one tool.

And finally DHS is heading up the largest piece of this effort. Coose says his office is focusing on four areas that align work to improve the security of agency systems. DHS will develop metrics around:

  • Inventory management
  • Configuration management
  • Vulnerability management
  • Patch management

"DHS is really trying to take an operational role in crafting metrics that make sense, assessing maturity levels of capabilities and figure out how people are doing in terms of risk and what the posture is out there," he says. "We have a really proactive and hands on role…in aligning metrics on what will make their security posture improve."

He adds that agencies are all at different levels in terms of these four areas, but the tools and standards are mature so DHS can help all agencies improve.

OMB recently asked agency chief information officers and chief information security officers for comments on the new FISMA metrics.

To create these metrics, DHS is pulling from agency and industry best practices, NIST guidance and is working closely with the National Security Agency and its own U.S. CERT.

"Fundamentally, we are looking at threats and what is happening in our networks right now," he says. "What are the attack vectors we are seeing today and what mitigation activities can we put in place to slow down or prevent that stuff from happening? That is the core to what we are trying to figure out."

The other area DHS is focusing on is defining for agencies what it means to provide real-time data feeds. Coose says his office will develop an XML schema to capture information on inventory, configuration and vulnerabilities. Most agencies will upload the data file to cyberscope, he adds.

"For agencies that are quite there yet, the things we are doing are looking at the Department of State's solution, Justice and the IRS solutions," he says. "We have defined a reference architecture for that and will publish it to the agencies in June."