The FISMA Focus IPD

The Treasury Inspector General for Tax Administration performed an annual independent report on the Internal Revenue Service’s compliance with FISMA requirements pursuant to OMB’s FISMA 2010 Reporting Guidelines.

The report “determined that the IRS’s information security program was generally compliant with the FISMA legislation, OMB information security requirements, and related information security standards published by the National Institute of Standards and Technology.”

The IG found that although “the information security program was generally compliant with the FISMA legislation, the program was not fully effective as a result of the conditions identified in the following areas.

• Configuration management.

Editors Note: The public is encouraged to raise any questions they have regarding the content of the NIST guidance in this Interactive Public Docket so others might share their views in preparation of comments to NIST.

NIST has published the Initial Public Draft of Special Publication 800-137 “Information Security Continuous Monitoring for Federal Information Systems and Organizations.”

NIST’s Notice is below and the draft document is attached.

DRAFT Information Security Continuous Monitoring for Federal Information Systems and Organizations

December 21, 2010 marks the tenth anniversary of the Data Quality Act (DQA), also known as the Information Quality Act, 44 U.S.C § 3516, note.

The DQA has deep roots developed over nearly a half-century as the result of a seed planted during the Johnson Administration which germinated in the Nixon Administration, was watered by the Carter Administration and whose product was harvested by the Reagan Administration, made available to the public in the Bush I Administration and subsequently enhanced by the Clinton Administration and promoted by the Bush II and Obama Administrations. See: http://thecre.com/ombpapers/SystemsAnalysisGroup.htm and http://thecre.com/quality/20010924_fedinfotriangle.html

The General Services Administration’ Office of Inspector General conducted a review of the agency’s information technology security program pursuant to an OMB FISMA directive.  The IG’s FISMA Review found “that additional steps are needed to strengthen GSA’s IT security program in four key areas: (1) secure configuration of agency systems, (2) oversight of audit logging and monitoring practices, (3) implementation of multifactor authentication for systems processing sensitive information, and (4) encryption of data on agency laptop computers.”

The IG Audit Report is attached below.

GSA IT Security Audit Report

NIST’s FISMA implementation documents are increasingly important to the private sector as Congress comes closer to requiring that federal cybersecurity standards be applied to the private sector. For example, the Chairman of the House Homeland Security Committee has introduced legislation that would authorize the Department of Homeland Security to “establish and enforce risk-based cybersecurity requirements for private sector computer networks within covered critical infrastructures.”

Continuous monitoring is an integral component of the government’s FISMA Risk Management Framework. Government Computer News reported in June that a draft of NIST SP 800-137, the agency’s continuous monitoring guidance document, would be released for public comment, “later this summer….”