[ISN] Technique | NASA gets a grip on FISMA reporting

From: InfoSec News (alerts@private)
Date: Wed Oct 17 2007 - 23:58:54 PDT


http://www.gcn.com/print/26_25/45097-1.html

By Trudy Walsh
GCN.com
09/24/07 issue

NASA’s Marshall Space Flight Center employees develop key space 
transportation technologies, including some used in projects that will 
send astronauts to the moon and, eventually, Mars.

But they couldn’t get their Federal Information Security Management Act 
reporting off the ground.

Bob Keasling, a project manager at the Huntsville, Ala., center, 
described the agency’s FISMA reporting as “spreadsheet chaos.”

FISMA requires each agency to track metrics on different functional 
areas of information technology security. It requires agencies to:

    * Develop an agencywide security program.
    * Implement and adhere to security configuration standards developed 
      by the National Institute of Standards and Technology.
    * Identify and resolve risks.
    * Perform ongoing assessment and testing.
    * Conduct annual reviews on the effectiveness of the agency’s 
      information security and privacy programs and report the results 
      to the Office of Management and Budget annually.

At Marshall, some people used databases, but others used spreadsheets 
and other documents to collect the required security data. But there was 
no standard method of data collection.

Keasling and a team at Marshall — including David Black, Vernon Bates, 
Jim McCraw and Raul Mejia — developed the Information Technology 
Security Center, an application to automate FISMA reporting. The 
application is designed to integrate the data and processes needed to 
manage an IT security program that complies with NIST security guidance 
as outlined by the FISMA framework.

When users log on to the Web browser-based ITSC, the first thing they 
see is the FISMA summary score card for their NASA center. For each 
functional area, the score card shows how many things need to be 
completed and how many are complete. Users can drill down to individual 
organizations within Marshall.

ITSC is based on a strong data foundation, Keasling said, where 
information is gathered from authoritative sources and integrated. 
Before ITSC, people had to find out who had the data and then ask for 
their piece of it, he said. Then they had to enter it into a document 
and try to merge it with other data.

Now, with ITSC, much of this data entry is automated, so users can focus 
on analysis. More time for analysis with better data means better 
security. “Our centralized system with standardized processes has 
improved coordination and communication,” Keasling said. “We are on the 
same page.”

ITSC maintains an inventory of systems and gives IT employees the 
ability to generate NIST-based certification and accreditation packages, 
one of the requirements of FISMA. The integration of personnel, 
equipment, network and application data; training records; 
certifications; configurations; vulnerabilities, and NIST-supplied 
security controls helps expedite the process of generating a C&A 
package.

The ITSC application also provides a change management feature that 
helps employees meet NIST’s continuous-monitoring phase of C&A. Changes 
are documented against a C&A package and submitted to a NASA board for 
approval. ITSC then sends e-mail notifications to staff members involved 
in the change process.

ITSC provides for data inheritance that allows common controls to be 
shared at the agency, site and master-plan levels. NIST uses the term 
common control to describe security controls that cover more than one 
system, Keasling said. For example, a site’s IT security training and 
awareness program may be the same for all systems. Instead of having 
each system owner document how they meet this control requirement, ITSC 
can define it once, and all systems at that site inherit that response.

Now, about 600 IT professionals use ITSC throughout NASA. “We’ve had 
many favorable responses from our IT peers,” Keasling said. “They see 
where we’re headed and are optimistic and encouraging.”

The NASA staff is “pretty good at figuring out how to use a new system,” 
Keasling said. NASA’s risk management team has representatives assigned 
to each organization who offer hands-on individual training for each 
person who requests an account. The ITSC staff provides a certification 
and accreditation guide that illustrates how to use ITSC to get an IT 
system certified and accredited. NASA also offers classroom instruction 
and online training in which users can see the instructor’s desktop.



__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com



This archive was generated by hypermail 2.1.3 : Thu Oct 18 2007 - 00:31:10 PDT