CYBER & INFOSEC

"blogger, InfoSec specialist, super hero ... and all round good guy" 

DISCUSSIONS, CONCEPTS & TECHNOLOGIES FOR THE WORLD OF

JOIN THE DISCUSSION

FISMA and Cyber Security

FISMA is the Federal Information Security Management Act of 2002. The goal of FISMA is to encourage and to hold government agencies in securing their data and information. Additionally, it encourages organizations that do business with the government to secure their information as well.

According to NIST SP 800-39, Managing Information Security Risk, defines risk management as “the program and supporting processes to manage information security risk to organizational operations (including mission, functions, and reputation), organizational assets, individuals, other organizations, and the Nation”. To integrate the risk management process throughout an organization and to address its mission and business concerns, a three-tiered approach is employed.

The process is carried out across three tiers with the objective of continuous improvement in the organization’s risk-related activities, with effective communication among tiers and stakeholders.


Figure 1 illustrates the three-tiered approach to risk management (NIST 800-53 r4 Summary).




In summary NIST have requirements for assessment, enforcement, and compliance regarding how data and information is stored, transmitted, and shared. This forces organizations to test and correct for threats in cyber infrastructure architecture by continuously monitoring, testing, securing, and correcting for cyber threats.


If a government agency fails in meeting these requirements they have be punished by reduced budgets and media exposure. Private and public organizations that do business with the government may have their contracts limited, revoked, or suspended. Furthermore, gross failures in complying with the rules may permanently disqualify organizations from doing business with the government.

Organizations spend considerable time, effort, and money buying and implementing security products and policies in an effort to meet these compliance requirements. Agencies test their security polices by conducting internal and external penetration scans, hire auditors to review their policies, and implement access control standards and other security counter-measures as described in a variety of different NIST publications.

According to an article posted on net-security.org dated on September 23rd, 2013 discussed if FISMA was helping or hurting cyber security efforts for the government. In my opinion, the article concludes what I think most people already believe, that compliance increases costs, makes implementing technology and strategy difficult, and does very little in the real world to increase or raise cyber security.

I believe there needs to be a fundamental shift away from compliance monitoring to continuous monitoring, shortening the attacker’s free time, reducing the kill chain, and detecting attacks.

References:

Federal cyber security pros lack confidence in FISMA. (n.d.). Federal cyber security pros lack confidence in FISMA. Retrieved June 15, 2014, from http://www.net-security.org/secworld.php?id=15627Diwakar, A. (2013, July 30). Covert Operations: Kill


Chain Actions using Security Analytics. Dr Chaos RSS. Retrieved June 15, 2014, from http://www.drchaos.com/covert-operations-kill-chain-actions-using-security-analytics/

doctorchaos.com and drchaos.com is a blog dedicated to Cyber Counter Intelligence and Cybersecurity technologies. The posts will be a discussion of concepts and technologies that make up emerging threats and techniques related to Cyber Defense. Sometimes we get a little off-topic. Articles are gathered or written by cyber security professionals, leading OEMs, and enthusiasts from all over the world to bring an in-depth, real-world, look at Cyber Security. About this blog doctorchaos.com and drchaos.com and any affiliate website does not represent or endorse the accuracy or reliability of any information’s, content or advertisements contained on, distributed through, or linked, downloaded or accessed from any of the services contained on this website, nor the quality of any products, information’s or any other material displayed, purchased, or obtained by you as a result of an advertisement or any other information’s or offer in or in connection with the services herein. Everything on this blog is based on personal opinion and should be interoperated as such. Contact Info If you would like to contact this blog, you may do so by emailing ALAKHANI(AT)YMAIL(DOT)COM  

SOCIALS 

SUBSCRIBE 

 Keeping you informed | Latest News 

© 2018 Dr. Chaos