http://www.gcn.com/print/26_25/45097-1.html
By Trudy Walsh
GCN.com
09/24/07 issue
NASA’s Marshall Space Flight Center employees develop key space
transportation technologies, including some used in projects that will
send astronauts to the moon and, eventually, Mars.
But they couldn’t get their Federal Information Security Management Act
reporting off the ground.
Bob Keasling, a project manager at the Huntsville, Ala., center,
described the agency’s FISMA reporting as “spreadsheet chaos.”
FISMA requires each agency to track metrics on different functional
areas of information technology security. It requires agencies to:
* Develop an agencywide security program.
* Implement and adhere to security configuration standards developed
by the National Institute of Standards and Technology.
* Identify and resolve risks.
* Perform ongoing assessment and testing.
* Conduct annual reviews on the effectiveness of the agency’s
information security and privacy programs and report the results
to the Office of Management and Budget annually.
At Marshall, some people used databases, but others used spreadsheets
and other documents to collect the required security data. But there was
no standard method of data collection.
Keasling and a team at Marshall — including David Black, Vernon Bates,
Jim McCraw and Raul Mejia — developed the Information Technology
Security Center, an application to automate FISMA reporting. The
application is designed to integrate the data and processes needed to
manage an IT security program that complies with NIST security guidance
as outlined by the FISMA framework.
When users log on to the Web browser-based ITSC, the first thing they
see is the FISMA summary score card for their NASA center. For each
functional area, the score card shows how many things need to be
completed and how many are complete. Users can drill down to individual
organizations within Marshall.
ITSC is based on a strong data foundation, Keasling said, where
information is gathered from authoritative sources and integrated.
Before ITSC, people had to find out who had the data and then ask for
their piece of it, he said. Then they had to enter it into a document
and try to merge it with other data.
Now, with ITSC, much of this data entry is automated, so users can focus
on analysis. More time for analysis with better data means better
security. “Our centralized system with standardized processes has
improved coordination and communication,” Keasling said. “We are on the
same page.”
ITSC maintains an inventory of systems and gives IT employees the
ability to generate NIST-based certification and accreditation packages,
one of the requirements of FISMA. The integration of personnel,
equipment, network and application data; training records;
certifications; configurations; vulnerabilities, and NIST-supplied
security controls helps expedite the process of generating a C&A
package.
The ITSC application also provides a change management feature that
helps employees meet NIST’s continuous-monitoring phase of C&A. Changes
are documented against a C&A package and submitted to a NASA board for
approval. ITSC then sends e-mail notifications to staff members involved
in the change process.
ITSC provides for data inheritance that allows common controls to be
shared at the agency, site and master-plan levels. NIST uses the term
common control to describe security controls that cover more than one
system, Keasling said. For example, a site’s IT security training and
awareness program may be the same for all systems. Instead of having
each system owner document how they meet this control requirement, ITSC
can define it once, and all systems at that site inherit that response.
Now, about 600 IT professionals use ITSC throughout NASA. “We’ve had
many favorable responses from our IT peers,” Keasling said. “They see
where we’re headed and are optimistic and encouraging.”
The NASA staff is “pretty good at figuring out how to use a new system,”
Keasling said. NASA’s risk management team has representatives assigned
to each organization who offer hands-on individual training for each
person who requests an account. The ITSC staff provides a certification
and accreditation guide that illustrates how to use ITSC to get an IT
system certified and accredited. NASA also offers classroom instruction
and online training in which users can see the instructor’s desktop.
__________________________________________________________________
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques. Register now for savings on conference fees
and/or free exhibits admission. - www.csiannual.com
This archive was generated by hypermail 2.1.3 : Thu Oct 18 2007 - 00:31:10 PDT