Technique | NASA gets a grip on FISMA reporting

Technique | NASA gets a grip on FISMA reporting
Technique | NASA gets a grip on FISMA reporting

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

Content-Transfer-Encoding: QUOTED-PRINTABLE

By Trudy Walsh
09/24/07 issue

NASA=E2=80=99s Marshall Space Flight Center employees develop key space 
transportation technologies, including some used in projects that will 
send astronauts to the moon and, eventually, Mars.

But they couldn=E2=80=99t get their Federal Information Security Management Act 
reporting off the ground.

Bob Keasling, a project manager at the Huntsville, Ala., center, 
described the agency=E2=80=99s FISMA reporting as =E2=80=9Cspreadsheet chaos.=E2=80=9D

FISMA requires each agency to track metrics on different functional 
areas of information technology security. It requires agencies to:

    * Develop an agencywide security program.
    * Implement and adhere to security configuration standards developed 
      by the National Institute of Standards and Technology.
    * Identify and resolve risks.
    * Perform ongoing assessment and testing.
    * Conduct annual reviews on the effectiveness of the agency=E2=80=99s 
      information security and privacy programs and report the results 
      to the Office of Management and Budget annually.

At Marshall, some people used databases, but others used spreadsheets 
and other documents to collect the required security data. But there was 
no standard method of data collection.

Keasling and a team at Marshall =E2=80=94 including David Black, Vernon Bates, 
Jim McCraw and Raul Mejia =E2=80=94 developed the Information Technology 
Security Center, an application to automate FISMA reporting. The 
application is designed to integrate the data and processes needed to 
manage an IT security program that complies with NIST security guidance 
as outlined by the FISMA framework.

When users log on to the Web browser-based ITSC, the first thing they 
see is the FISMA summary score card for their NASA center. For each 
functional area, the score card shows how many things need to be 
completed and how many are complete. Users can drill down to individual 
organizations within Marshall.

ITSC is based on a strong data foundation, Keasling said, where 
information is gathered from authoritative sources and integrated. 
Before ITSC, people had to find out who had the data and then ask for 
their piece of it, he said. Then they had to enter it into a document 
and try to merge it with other data.

Now, with ITSC, much of this data entry is automated, so users can focus 
on analysis. More time for analysis with better data means better 
security. =E2=80=9COur centralized system with standardized processes has 
improved coordination and communication,=E2=80=9D Keasling said. =E2=80=9CWe are on the 
same page.=E2=80=9D

ITSC maintains an inventory of systems and gives IT employees the 
ability to generate NIST-based certification and accreditation packages, 
one of the requirements of FISMA. The integration of personnel, 
equipment, network and application data; training records; 
certifications; configurations; vulnerabilities, and NIST-supplied 
security controls helps expedite the process of generating a C&A 

The ITSC application also provides a change management feature that 
helps employees meet NIST=E2=80=99s continuous-monitoring phase of C&A. Changes 
are documented against a C&A package and submitted to a NASA board for 
approval. ITSC then sends e-mail notifications to staff members involved 
in the change process.

ITSC provides for data inheritance that allows common controls to be 
shared at the agency, site and master-plan levels. NIST uses the term 
common control to describe security controls that cover more than one 
system, Keasling said. For example, a site=E2=80=99s IT security training and 
awareness program may be the same for all systems. Instead of having 
each system owner document how they meet this control requirement, ITSC 
can define it once, and all systems at that site inherit that response.

Now, about 600 IT professionals use ITSC throughout NASA. =E2=80=9CWe=E2=80=99ve had 
many favorable responses from our IT peers,=E2=80=9D Keasling said. =E2=80=9CThey see 
where we=E2=80=99re headed and are optimistic and encouraging.=E2=80=9D

The NASA staff is =E2=80=9Cpretty good at figuring out how to use a new system,=E2=80=9D 
Keasling said. NASA=E2=80=99s risk management team has representatives assigned 
to each organization who offer hands-on individual training for each 
person who requests an account. The ITSC staff provides a certification 
and accreditation guide that illustrates how to use ITSC to get an IT 
system certified and accredited. NASA also offers classroom instruction 
and online training in which users can see the instructor=E2=80=99s desktop=2E

Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - 


Site design & layout copyright © 1986-2014 CodeGods