Changes coming for federal infosec managers
Information security managers in federal government agencies should expect to see new obligations and rules on security management practices in 2015, with changes brought about by the Federal Information Security Modernization Act (FISMA) that became law at the end of 2014 and from updates to key guidance from NIST, OMB, and DHS. The most relevant changes include:
- Implementing and maintaining continuous monitoring, likely enlisting the assistance of DHS and its Continuous Diagnostics and Mitigation (CDM) program, which is available to all agencies under a GSA-managed blanket purchase agreement. Each agency was supposed to have developed and submitted to OMB their information security continuous monitoring strategy (ISCM) last year, so with strategies in place, execution is the focus for 2015.
- Updating incident notification and reporting practices, to comply with requirements issued by US-CERT and to meet new requirements (particularly for reporting to Congress) included in the 2014 update to FISMA.
- Modifying security control assessment procedures following guidance in NIST Special Publication 800-53A Revision 4, released in December. Compared to the prior version, the revised assessment procedures break down security objectives (derived from security control descriptions in Special Publication 800-53) into a more fine-grained and explicit set of criteria to be used in security control assessments. The new guidance also includes assessment procedures for the privacy controls first added by NIST in April 2013 with 800-53 rev. 4.
- Adapting security management reporting procedures to satisfy new OMB and DHS requirements, including still to-be-determined changes to OMB Circular A-130, Management of Federal Information Resources, called for in the new FISMA law “to eliminate inefficient or wasteful reporting.” These revisions to A-130 may not be made until much later in the year, but they are expected to substantially alter the documentation and checklist-driven practices associated with system certification and accreditation under the current A-130 Appendix III, which was last updated in 2000.
Collectively, these anticipated changes (plus whatever prescriptive guidance DHS may issue under its newly codified authority over agency security operations) will make 2015 a year of transition for federal system owners and program managers (and their contractors) as the government tries to mature its information security management practices.