With electronic systems emerging as the primary locus of information storage and communication, the corresponding risks have sky-rocketed. According to FBI reports, financial losses from cybercrime and online scams in the U.S. more than doubled in 2009 as compared to 2008. Total losses amounted to $559 million, with a 22% increase in complaint submissions recorded by the Internet Crime Complaint Center (IC3). Alarmingly, in 16% of the cases, scammers had duped their targets by pretending to be affiliated with the FBI.Download an Insight
Clearly, cybercrime is becoming a rampant and complex problem. Criminals are now employing increasingly sophisticated technology to hack into information databases. Not even federal information is safe. And that is where the greatest risk lies.
In the aftermath of 9/11 and subsequent terror attacks across the world, the protection of federal information has become a key government priority. It is especially crucial when one considers the amount of data that the government is responsible for - Social Security Records, defense secrets, insurance information, tax records and health information of millions of people. All this data is subject to a complex web of computers, software, hardware and personnel across local and national boundaries. Without adequate information security, people's safety can be at risk, not to mention their confidence in the government.
Yet, security breaches do occur. Take the instance of the Pentagon hack in 2006; or the attack on the Federal Aviations Administration systems in 2009 where employee personal information was stolen; or the complex tax fraud conspiracy uncovered in 2010 where attempts were by made by a hacker to bilk the government out of millions of dollars. Dangerous antagonists continue to launch wide-scale attacks on federal systems, thereby inflicting irreparable damage. One just needs to scan The Chronology of Data Breaches to observe that almost every other day, a new information security breach is recorded.
As a result of these threats, the U.S. government felt it imperative to implement controls that regulate information security. Thus, in 2002, the Federal Information Security Management Act (FISMA) was passed.
The Importance of FISMA
FISMA recognizes that protecting federal information is central to the economic and national security interests of the nation. Against the complex web of the federal computing environment, FISMA provides agency-wide internal controls for information security and risk management. It requires federal agencies to develop, document and implement an information security program not just for their own operations and assets but for those provided or managed by another agency, contractor or source.
The development and management of FISMA is controlled by two federal agencies - the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB). NIST publishes two types of documents - the Federal Information Processing Standards (FIPS) and the Special Publications - both of which help federal agencies achieve FISMA compliance.
FISMA requires agencies to develop an agency-wide security program, adhere to the security standards developed by NIST, and continuously review the effectiveness of their security programs.
Mandatory compliance with FISMA extends to large agencies such as the Department for Homeland Security and the Department of Justice, all foundations, educational institutions and organizations receiving federal funds, as well as contractors who store, process or transmit federally owned data.
Failure to comply with FISMA can lead to a number of repercussions. For one, confidential data is put at the risk of hacker attacks which, in turn, can cause immense financial losses to the government. To avoid this scenario, each federal agency receives an annual grade for its FISMA compliance programs. These grades are made public on at least one federal Web site. A high grade indicates that the agency's systems are secure and data is safe. A low grade indicates that the agency's systems are vulnerable to cyber attack. It can also severely impact an agency's reputation and threaten the jobs of those responsible for information security. More importantly, it can lead to the OMB delaying or denying funding for subsequent agency programs. Sometimes, a low-grade agency's top executives have to testify before Congress, explaining the reasons for their poor scores. Non-compliance is therefore a costly affair.
Executing FISMA compliance
The objectives of agencies complying with FISMA's requirements are two-fold - to build and maintain an information security program, and to submit annual compliance reports. To achieve these objectives, organizations must:
The process of selecting the appropriate security controls is a multifaceted, risk-based activity involving management and operational personnel within the organization.
- Manage an inventory of information systems
Implementing a security program is impossible without knowing exactly which assets need to be protected, and which systems need to be certified and accredited. FISMA requires that each agency carry out a complete inventory of its information systems including computers, software, data, interfaces, servers, networks, tools, people, business processes and buildings, as well as those information systems operated by third parties.
- Categorize information and information systems according to risks
FISMA necessitates that each agency develop a standardized, repeatable methodology to classify assets according to a range of risk levels (low, moderate or high as per Federal Information Processing Standards (FIPS) 199).
- Establish security controls
According to the NIST 800-53 publication, security controls are organized into three general classes and seventeen families. The challenge for organizations is to determine which security controls would most cost-effectively comply with their requirements. To make it easier, NIST has introduced three basic controls:
- Baseline controls - the minimum security controls recommended for an information system based on the system's categorization as per FIPS 199
- Common security controls which can be applied to organization-wide information systems
- System-specific security controls which are applied to individual systems.
- Assess and manage risks
A risk assessment is carried out by identifying potential threats and vulnerabilities, and mapping them to security controls. Risks are then determined by calculating the likelihood and impact that any given vulnerability could be exploited, taking into account existing controls. The culmination of the risk assessment shows the calculated risk for all vulnerabilities and describes whether the risk should be accepted or mitigated. The responsibility of implementing risk control falls to the top executives of the agecny.
- Achieve system certification and accreditation
Security accreditation is the official decision made by top executives to authorize the operation of a system. By accrediting the system, management explicitly accepts responsibility for the security of the system, and is held accountable if a breach of security occurs. It is therefore imperative that agency officials posses complete and accurate information that helps them determine whether or not to authorize the operation of the information systems
- Monitor and audit systems regularly
It is essential for each agency to regulate information systems and security controls. Regular audits should be conducted to review corrective actions, and measure security and compliance improvements.
With its attention to detail, FISMA is no doubt a valuable tool to federal agencies and the government. As a central repository of regulatory information, it is extremely vital. However, it is not without its own share of challenges.
Complying with FISMA can be a drain on agency finances, time, personnel and other resources. It is not easy to create a sustainable compliance process that operates efficiently year after year, neither is it feasible to produce compliance reports on a regular basis. Understanding and filtering out the specific compliance requirements of each agency is a further hindrance.
Instead of losing sleep over the complexities of FISMA compliance, agencies can turn towards a comprehensive compliance solutions provider. Through a range of applications and software, such a provider can design, assess and improve security controls under the FISMA framework. The result is increased security, compliance and confidence.