From an information security perspective, the first step in implementing FISMA guidelines involves gaining an understanding of the processes FISMA mandates, Then, practitioners typically rely on NIST publications, which guide security personnel through the baseline security requirements, detailing the more specific technical and operational controls needed to meet those requirements. Managing the compliance process can quickly become a challenge, however, because working with multiple parties on a broad range of controls overwhelms the typical spreadsheet and manual tracking process.
To better understand how OpenFISMA can improve security, one example is the processes associated with a plan of actions and milestones (POA&M), which are the activities used for tracking and fixing security vulnerabilities. OpenFISMA provides a Web-based centralized repository to manage and track vulnerability reporting and remediation activities. Users log in to their role-based accounts to work through or oversee the compliance processes. Typical users would be the security officer (CSO or CISO), technical operations staff and the independent verifiers.
OpenFISMA's business rules provide guidance for the submission of remediation evidence and sign-off for the work performed. The user controls protect the integrity of the audit information from unauthorized access, modification and deletion. Timestamps support the ability to audit and account for each of the steps, and a reporting engine helps track performance against stated completion goals.
Implementing government standards for security can be a huge task, but OpenFISMA provides structure and automation to help manage the process.
About the author:
Scott Sidel is an ISSO with Lockheed Martin. For more recommendations from the author, check out Scott Sidel's Downloads.
This was first published in October 2008