Tip

FISMA compliance made easier with OpenFISMA

Managing security in a large corporation can be daunting, which is why the U.S. government has made a concerted effort to standardize best security practices. The Federal Information Security Management Act (FISMA) not only mandates the processes for information systems used by federal agencies and by contractors working with the government, but also provides an excellent security baseline for any large organization.

From an information security perspective, the first step in implementing FISMA guidelines involves gaining an understanding of the processes FISMA mandates, Then, practitioners typically rely on NIST publications, which guide security personnel through the baseline security requirements, detailing the more specific technical and operational controls needed to meet those requirements. Managing the compliance process can quickly become a challenge, however, because working with multiple parties on a broad range of controls overwhelms the typical spreadsheet and manual tracking process.

    Requires Free Membership to View

    Login

OpenFISMA can help: it automates the compliance process by using a platform-independent OSS Web application framework (Apache, MySQL, PHP) to manage the workflow. OpenFISMA also guides requirements-gathering activities, such as verifying compliance with requirements, security assessments and vulnerability remediation.

To better understand how OpenFISMA can improve security, one example is the processes associated with a plan of actions and milestones (POA&M), which are the activities used for tracking and fixing security vulnerabilities. OpenFISMA provides a Web-based centralized repository to manage and track vulnerability reporting and remediation activities. Users log in to their role-based accounts to work through or oversee the compliance processes. Typical users would be the security officer (CSO or CISO), technical operations staff and the independent verifiers.

OpenFISMA's business rules provide guidance for the submission of remediation evidence and sign-off for the work performed. The user controls protect the integrity of the audit information from unauthorized access, modification and deletion. Timestamps support the ability to audit and account for each of the steps, and a reporting engine helps track performance against stated completion goals.

For more information
Learn how penetration testing can aid compliance efforts

Find out about open-source IDS audit tools
When using OpenFISMA, information about security weaknesses can be entered manually or ingested from automated sources by using popular vulnerability assessment scanners that output their results in XML, CSV or XLS formats. A known vulnerability then follows one of three typical paths: a) the finding is remediated, b) the finding is demonstrated to be a false positive, or c) the risk is accepted. A risk level can be assigned to help prioritize the level of threat to the organization and the mitigation strategy can be reviewed and approved by independent third parties. After the work to remediate the weakness is done, evidence for the remediation can be analyzed by third-party verifiers. Finally, assuming the remediation is accepted, the verifiers would close out the weakness.

Implementing government standards for security can be a huge task, but OpenFISMA provides structure and automation to help manage the process.

About the author:
Scott Sidel is an ISSO with Lockheed Martin. For more recommendations from the author, check out Scott Sidel's Downloads.


This was first published in October 2008

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

    Back to top