Agencies get ready for FISMA changes

Friday - 6/25/2010, 7:14am EDT

WFED's Jason Miller

Click below to hear the report on the Federal Drive

Download mp3

By Jason Miller
Executive Editor
Federal News Radio

Several agencies are trying to get a head start in meeting the Office of Management and Budget's mandate to monitor their computer networks in real time by November.

The Veterans Affairs Department by Sept. 30 will have software in place to monitor all their desktop computers no matter the operating system, says Jaren Doherty, the agency's chief information security officer.

NASA, meanwhile, is taking a page out of the State Department's playbook and implementing real time monitoring using a scorecard approach. Jerry Davis, NASA's CISO, says his office has begun making the changes to move away from traditional certification and accreditation and to continuous monitoring. Davis issued a memo in May calling for this change.

And the Nuclear Regulatory Commission is assessing its tools to figure out what their needs are to meet OMB's mandate, says Patrick Howard, NRC's CISO.

OMB in April issued the fiscal 2011 Federal Information Security Management Act (FISMA) guidance calling for this significant change in how agencies secure their computers.

"Organizations can get caught up in that compliance activity...so we are focusing on how you operationalize compliance," says Davis during a panel discussion sponsored by the AFCEA-Bethesda, Md. chapter. "Organizations need to get to a point where situational awareness is knowing everything you possibly can about the threats, knowing everything you can possibly know about your assets and all the vulnerabilities of those assets and how they interact with each other in a near real-time basis."

Along with OMB's mandate, a cybersecurity bill sponsored by Sens. Joseph Lieberman (I-Conn.), Susan Collins (R-Maine) and Tom Carper (D-Del.), would change FISMA to require real-time monitoring. The Senate Homeland Security and Governmental Affairs Committee passed the bill Thursday and the full Senate is expected to take up the measure in the next few weeks.

Davis, Doherty, Howard and others say the goal is to have the data to make good decisions.

Doherty says VA's program is driven by data and metrics and that is why moving to real-time daily updates on the status of their desktops will make a huge difference.

"It's part of a long term project to get visibility of every device on the network, which would include routers, switches, servers and the entire infrastructure," Doherty says. "We've also tied that in taking a look at biomedical devices to make sure we have adequate protection of biomedical devices. We are working with our industry partners and the Food and Drug Administration to try to make sure there is no chance of malware getting on those machines that could adversely affect medical diagnosis."

VA discovered there is a potential for medical devices to be infected with a virus because they have common operating systems at their basis.

Doherty says vendors can take a year to update their devices, leaving VA vulnerable.

"What we are trying to do is get the companies to put the patch on one of our Web pages and then we can create an automated process to download the patch immediately," he says. "It is being implemented right now. We will have all the devices secured behind a VLAN by Sept. 30. We will have them firewalled off by Dec. 31 and have these other problems addressed sometime during fiscal year 2011."

Doherty says VA realized the potential vulnerabilities when it did a study during the Conficker attack last year. He says there were certain vulnerabilities in their medical equipment.

NASA is one step ahead of VA in moving to continuous monitoring.

Davis says his office is developing a concept of operations to help system owners understand how real-time monitoring fits into the certification and accreditation activities.

Davis says the concept of operations will show how all the monitoring tools fit together and produce a scorecard similar to what the State Department does.

"The interesting thing is we have been working on this particular project for about a year-and-a-half because we felt we needed to something a little bit better to manage risk and get down to the true nuts-and-bolts of managing systems' risk," he says. "We went to the State Department and compared tool sets and found they are very similar."

Davis says NASA has met with State three or four times over the past few months.

"If they are doing something, we don't want to reinvent the wheel," he says.

At the NRC, Howard says part of the assessment is to make sure they are using their monitoring tools to the fullest extent possible.