FISMA update

CHIPS, Oct-Dec, 2005 by Jennifer Korenblatt

FISMA fundamentals

The Department of the Navy (DON) is required to comply with the Federal Information Security Management Act of 2002 (FISMA) also known as Title III of the E-Government Act of 2002. FISMA requires each federal agency to provide information security for its information technology (IT) assets. The purpose of FISMA is to provide a framework for enhancing the effectiveness of information security in the federal government. FISMA also provides a mechanism for effective oversight of federal agency information security programs.

The director of the Office of Management and Budget (OMB) oversees FISMA compliance. The DON reports FISMA status to the Assistant Secretary of Defense (Networks and Information Integration) (ASD/NII), which consolidates all Department of Defense (DoD) input and reports to OMB. This article explains the importance of accurate and timely reporting of FISMA data.

FISMA Reporting Using the IT Registry

The DoD Information Technology Registry serves as a technical repository to support chief information officers' (CIO) assessments and maintains an IT system inventory to comply with Congressional requirements. The Office of the Secretary of Defense (OSD) uses data from the DoD IT Registry to compile reports regarding FISMA status.

The DON uses its own DON IT Registry to record the certification and accreditation (C&A) status of mission critical (MC), mission essential (ME), and mission support (MS) DON systems and networks. The DON uploads this data quarterly (March 1, June 1, Sept. 1 and Dec.1) into the DoD IT Registry. Data from the DoD IT Registry is used to report FISMA status for the entire DoD to OMB and Congress. The DON must improve the recording and reporting of IT systems data to increase compliance with OSD and OMB FISMA requirements. Punctual and accurate reporting of DON IT systems is key to validating DON compliance with security requirements and justifying funding for IT security tasks.

Key Issues for FISMA Compliance

Three key areas of FISMA compliance that affect the DON are:

(1) reporting the certification and accreditation status of DON IT systems; (2) the DON Plan of Action and Milestones (POA&M); and (3) the status of information systems privacy management.

The Secretary of the Navy directed the DON to reach and sustain 90 percent or greater certification and accreditation status for DON systems and networks. This C&A compliance rate is required by the President's Management Agenda for 2005.

OMB requires federal agency CIOs to monitor the status of information security weaknesses, including the lack of full accreditation in POA&Ms for each system and network. OMB reviews POA&Ms for systems for which a Capital Asset Plan and Justifications (known as OMB Exhibit 300) is submitted. The Department of the Navy Chief Information Officer (DON CIO) retains other system POA&Ms and provides a summary report to OSD quarterly. The DON CIO is responsible for DON compliance with Section 208, Privacy Provisions of the E-Government Act of 2002. OMB Memorandum 03-22, "Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002," issued Sept. 26, 2003, provides OMB requirements for compliance with the E-Government Act and states the conditions in which a Privacy Impact Assessment is required for an IT system.

The DON CIO has developed a Privacy Impact Assessment, which is available on the DON CIO Web site. (See the Reference Links box for information.)

In fiscal year 2005, OMB introduced a new privacy management section of FISMA reporting, which removes privacy compliance reporting from the annual E-Government Act report to the annual FISMA report.

OMB FISMA Guidance for FY 2005

In 2005, OMB issued M-05-15, "FY 2005 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management" to facilitate FISMA reporting. This memorandum provides reporting instructions and FISMA and Privacy Management reporting templates.

FISMA requires system owners to annually review certification and accreditation status of all systems, including those that are accredited (i.e., granted an approval to operate). This annual review must include all items listed in DoD Instruction 8500.2, "Information Assurance (IA) Implementation," issued Feb. 6, 2003.FISMA requires that certification and accreditation statistics for contractor and government systems be reported separately. Contractor systems are information systems used or operated by a contractor of a federal agency or other organization on behalf of the agency. An example of a contractor system is the Navy Marine Corps Intranet.

DoD FISMA Guidance for FY 2005

In addition to the OMB requirements for 2005, the Office of the Secretary of Defense issued FISMA guidance to assist the DoD in complying with the new requirements. There is a new requirement for system owners to report the status of mission support IT systems in the DoD IT Registry, in addition to the current requirement to report mission critical and mission essential systems. With this new requirement OSD seeks to comply with the President's Management Agenda and the E-Government Act, both of which mandate that all systems be registered in the DoD IT Registry.