FISMA’s facelift focuses on four areas, for now

DHS is leading the effort to rework cybersecurity metrics around patch, configuration, vulnerability and inventory management. Justice plans to host an industry...

By cyberscope tool that agencies will feed their network security into, NIST is developing new guidances around real time continuous monitoring and risk measurement and mitigation and the GSA soon will come out with a request for proposal for more advanced security tools.

All three of these initiatives are happening at one time.

Justice will hold an industry day in June to help vendors understand how the cyberscope tool will work. Matt Coose, the director of DHS’s Federal Network Security office, says the announcement will be in FedBizOpps.gov.

Coose, who spoke at the Management of Change conference sponsored by IAC/ACT, says Justice will not be buying anything, but helping vendors better understand cyberscope’s requirements.

“The purpose of that is to get out the schema to vendors that develop security management tools so they can figure out how to start feeding cyberscope these automated feeds,” he says. “How do we conform to the schema, what needs to be done on the project development side and how can we help agencies meet the FISMA requirements.”

NIST is updating several governmentwide publications around cybersecurity.

Marianne Swanson, NIST’s senior advisor in the information system security division says her office will issue by the end of June a new draft continuous monitoring guidance. By July, NIST will give agencies and vendors a draft document on how best to manage risk in information systems, a draft of the new contingency planning guidance and a new draft on how best to manage a vendors’ supply chain risk.

The continuous monitoring and the information systems risk management guidances will cover three broad areas at the organizational, mission and system levels, she says.

“Organization is at the policy level and asks how much risk can an organization tolerate?” Swanson says. “At the mission level, we are talking about tools, procedures, report gathering and other actions. And at the system level, it will be more typical of our guidance were we have focused for the last 10-15 years.”

For its part, GSA will be issuing new RFPs for situational awareness and incident response (SAIR) tools in the coming weeks through its SmartBuy enterprise software program.

Coose says Tier 2 will include boundary or firewall protection tools, and Tier 3 is broad continuous monitoring tools allowing users to integrate data into one tool.

And finally DHS is heading up the largest piece of this effort. Coose says his office is focusing on four areas that align work to improve the security of agency systems. DHS will develop metrics around:

  • Inventory management
  • Configuration management
  • Vulnerability management
  • Patch management

“DHS is really trying to take an operational role in crafting metrics that make sense, assessing maturity levels of capabilities and figure out how people are doing in terms of risk and what the posture is out there,” he says. “We have a really proactive and hands on role…in aligning metrics on what will make their security posture improve.”

He adds that agencies are all at different levels in terms of these four areas, but the tools and standards are mature so DHS can help all agencies improve.

OMB recently asked agency chief information officers and chief information security officers for comments on the new FISMA metrics.

To create these metrics, DHS is pulling from agency and industry best practices, NIST guidance and is working closely with the National Security Agency and its own U.S. CERT.

“Fundamentally, we are looking at threats and what is happening in our networks right now,” he says. “What are the attack vectors we are seeing today and what mitigation activities can we put in place to slow down or prevent that stuff from happening? That is the core to what we are trying to figure out.”

The other area DHS is focusing on is defining for agencies what it means to provide real-time data feeds. Coose says his office will develop an XML schema to capture information on inventory, configuration and vulnerabilities. Most agencies will upload the data file to cyberscope, he adds.

“For agencies that are quite there yet, the things we are doing are looking at the Department of State’s solution, Justice and the IRS solutions,” he says. “We have defined a reference architecture for that and will publish it to the agencies in June.”

Additionally, Coose says agencies can purchase SAIR Tier 1 tools from GSA’s SmartBuy program to help capture the information.

Over the longer term, DHS will offer more cybersecurity services. Coose says DHS asked for funding in fiscal 2011 to perform red and blue team exercises on agency networks. Red and blue exercises focus on either breaking into agency systems or protecting them from hackers.

Phil Reitinger, DHS’s deputy under secretary in the National Protection and Programs Directorate, recently asked Congress to appropriate $314 million for U.S. Cert. From that funding, Reitinger says DHS will “perform 27 red team/blue team compliance assessments to support Trusted Internet Connections (TIC) initiative implementation and cybersecurity mandate compliance.”

Coose says if funding comes through, DHS will offer these services for free to agencies.

“We are in the process now of working with NSA and other folks to define methodology to use to get that service out,” he says.

Hear Jason Miller discuss this on DorobekInsider.

(Copyright 2010 by FederalNewsRadio.com. All Rights Reserved.)

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

    Stacy Bostjanick and Jennifer Henderson

    Risk and Compliance Exchange 2024: DoD’ Stacy Bostjanick, DCMA’s Jennifer Henderson on finding ‘any means possible’ to help small biz with CMMC

    Read more
    Amelia Brust/Federal News Networkcybersecurity

    How should software producers be held accountable for shoddy cybersecurity products?

    Read more