With the release of the Office of Management and Budget (OMB) Memorandum 11-33, released on September 14, 2011 Executive Departments and Agencies are required to comply with a revised set of reporting guidelines for the Federal Information Security Management Act (FISMA) (Title III of the E-Government Act of 2002
Public Law 107-347). These new requirements set forth in addition to the standard set of security control assessment and reporting requirements aligned with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Revision 3, monthly reporting of several parameters commonly associated with Security Content Automation Protocol (SCAP) solutions. Specifically, organizations must now submit monthly data feeds through CyberScope for Common Platform Enumeration (CPE), Common Vulnerability Enumeration (CVE), and Common Configuration Enumeration (CCE) information. These feeds, unfortunately, do not entirely replace FISMA reporting or the ongoing authorization activities specified by NIST SP 800-37. So, what does this mean from a compliance perspective?

While OMB is striving to simplify the risk management process, they seem to be creating additional requirements that do not fully supersede current legislation. So, Executive Departments and Agencies must now procure additional security tools (if they ones they currently use are not SCAP compliant, must manually enter FISMA metric data into Cyberscope, and all while continuing with their annual assessment activities required to permit ongoing authorization to operate (ATO) for their information systems. Landers and Company has a customized approach to integrating each of these processes such that the workload can be effectively balanced, and to avoid duplication of efforts. We work with all SCAP vendors and Government clients to ensure that solutions can be effectively integrated.

News

September 18, 2012 - NIST releases SP 800-30 Revision 1, Guide for Conducting Risk Assessments

August 8, 2012 - NIST releases SP 800-61 Revision 2, Computer Security Incident Handling Guide

September 14, 2011 - OMB releases Memorandum M-11-33, FY 2011 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management

The FY 2011 FISMA Reporting Instructions were released by the Office of Management and Budget (OMB) on September 14th, 2011.  This guidance was long anticipated as agencies continue implementing solutions capable of producing SCAP data feeds for common vulnerability enumeration (CVE), common configuration enumeration (CCE), and common platform enumeration (CPE) data elements.   

June 1, 2011 - FY11 FISMA Reporting Metrics Released by DHS

FISMA reporting metrics were released by DHS on the first of June, 2011.  What was unanticipated is that these metrics do not focus near real-time risk management by leveraging solutions for automated enterprise vulnerability and configuration management.  Rather, these metrics seem misaligned with the overall direction of FISMA compliance as documented in the FY11 FISMA Reporting instructions released by OMB.