DON CIO issues FISMA guidance

CHIPS, July-Sept, 2006 by Jim Collins

"Each federal agency shall develop, document, and implement an agencywide information security program to provide information security for the information and information systems that support operations and assets of the agency, including those provided or managed by another agency, contractor, or other source ..."

--Federal Information Security Management Act of 2002

All federal agencies, including the Department of the Navy (DON), must comply with the provisions of the Federal Information Security Management Act (FISMA) of 2002. Also known as Title III of the E-Government Act of 2002, FISMA requires that each federal agency must provide security safeguards for its information technology (IT) assets.

FISMA Requirements

FISMA mandates that each federal agency report the status of its IT posture to Congress annually. The report must address the adequacy and effectiveness of information security policies, procedures and practices. In addition to the annual report, FISMA requires each agency to conduct an annual independent evaluation of its information assurance (IA) program to determine its effectiveness.

FISMA legislation directed the Office of Management and Budget (OMB) to set standards and oversee FISMA compliance. The DON Chief Information Officer (CIO) coordinates reporting with Navy and Marine Corps activities and sends FISMA reports to the Office of the Secretary of Defense (OSD) Assistant Secretary of Defense for Networks and Information Integration (ASD-NII). The ASD-NII consolidates all Department of Defense data and develops an overall DoD FISMA report for OMB and Congress.

The DON CIO issued DON FISMA Guidance in March 2006 and posted the document on the DON CIO Web site at www.doncio.navy.mil. DON FISMA Guidance provides a foundation for improving the DON's IA posture and outlines courses of action for ensuring compliance with FISMA requirements.

The guidance supports and complements the Secretary of the Navy Instruction (SECNAVINST) 5239.3A, "Department of the Navy Information Assurance (IA) Policy," which describes FISMA requirements within the DON. It also discusses efforts to improve the DON's overall IA posture, provides metrics to measure specific IA aspects, and includes the DON policy for plans of action and milestones (POA&Ms) for correcting information security deficiencies, as required by DON, DoD and OMB policies.

DITPR-DON

The DON variant of the DoD IT Portfolio Registry, referred to as DITPR-DON, serves as a technical database of FISMA assessments, and it maintains the IT system inventory for compliance with Congressional requirements. The Office of the Secretary of Defense uses data from the DITPR to compile reports for internal use and for distribution to OMB and Congress.

The DON uses the DITPR-DON to record the certification and accreditation (C&A) status of Mission Critical (MC), Mission Essential (ME), and Mission Support (MS) DON IT systems and networks. The DON uploads DITPR-DON data into DITPR at least quarterly (March 1, June 1, Sept. 1 and Dec. 1). The ASD-NII uses the data to report DoD FISMA status on a quarterly basis to OMB and annually to OMB and Congress.

The DON CIO submits an annual FISMA report to ASD-NII, which includes data on IT systems and networks, the status of IA training, intrusion incidents, and system/network vulnerability testing. ASD-NII uses each "Defense Agency FISMA Report" to develop its annual FISMA Report to OMB and Congress. Based on OSD's annual FISMA Report, and the evaluation of the DoD Inspector General, Congress then assigns a grade for each agency's information security status.

DON CIO FISMA Guidance

The DON CIO issued the DON fiscal year 2006 FISMA Report Guidance to the DON Navy and Marine Corps Deputy CIOs for forwarding to echelon II commanders, the Marine Corps major commands, and to the Assistant for Administration, Office of the Under Secretary of the Navy (AAUSN), April 21, 2006.

This year, the DON FISMA Report will be due to ASD-NII July 21, 2006. It will include the latest data available from the DITPR-DON as of that date. Since OSD will complete its FY 2006 FISMA Report in September, Sept. 1, 2006 is the last opportunity for the DON to update FISMA data.

Timely and accurate reporting of DON FISMA data to DoD and OMB is essential to demonstrating the DON information assurance posture. OMB requirements to support FISMA may change, so the DON must remain vigilant of the new requirements each year to ensure compliance. For FY 2006, OSD issued new requirements for reaching and sustaining 90 percent or greater full accreditation for systems and networks, referred to as full Authority to Operate (ATO) status.

FISMA Training Requirements

Minimum IA training goals for FY 2006 specify that 96 percent of DON personnel, including contractors, shall complete annual IT security awareness training. This training can be accomplished using the Navy Knowledge Online Web site at https://www.nko.navy.mil/ or MarineNet at http://www.marinenet.usmc.mil/.> For DON personnel, including contractors, with significant IA responsibilities, the DON decrees that 90 percent shall complete specialized training as specified in DoD Directive (DoDD) 8570.1, "Information Assurance Training, Certification, and Workforce Management" of Aug. 15, 2004, and its associated manual, DoD 8570.01-M, "Information Assurance Workforce Improvement Program."