FISMA Series: Software Managed Assets, Vulnerability Management, and Configuration Management
Federal Information Security Modernization Act (FISMA) Scorecards are a crucial aspect of keeping federal agencies secure. These scorecards measure agency performance in different cyber “areas of concern” and identify weaknesses that risk being exploited by cybercriminals.
With many factors involved in determining a federal agency’s FISMA score, efforts to improve a score can be overwhelming. By leveraging these tips, organizations can start the process of identifying cyber gaps, making improvements, and raising their overall score.
3. Software Managed Assets
It is essential to track and manage the expansive array of software typically found within an agency’s IT environment. This includes ensuring that software is:
Acquired from known secure supply-chains
Delivered free of malware and bad code
Formally integrated into the enterprise
Effectively managed throughout its lifecycle
Most agencies require software to be pre-assessed and approved for use within their enterprise. Monitoring compliance with organizational software policy can be achieved through “white-listing,” which allows software on the list be deployed and operated. The inverse is "black-listing," which forbids certain software from being deployed and flags those found operating.
A lean, rigid and focused software profile provides agencies better security by compressing the scope exposure to risk.
The FISMA Scorecard evaluates software asset data and determines how many of the assets are compliant and approved. It is important to note that, in addition to licensing issues, cybersecurity engineers should be working with their operations team to determine if there is any obsolete, end-of-life operating system (OS) or software, unapproved software, or versions of software not up-to-date. A lean, rigid and focused software profile provides agencies better security by compressing the scope exposure to risk.
4. Vulnerability Management
Unlike the Weakness Remediation area of concern (Series Part I), which focuses on how effectively all vulnerabilities are being remediated, the Vulnerability Management column represents only “critical” and “high” vulnerabilities. These weaknesses pose the most significant threats to the enterprise and its data. A simple Google search can provide bad actors with step-by-step instructions on how to exploit weaknesses and compromise critical systems. New videos describing fresh tactics appear every day.
Most agencies have a short grace period on “Critical” and “High” vulnerabilities. Creating the Remediation Plan and socializing it with leadership and the development team as soon as possible is a critical first step. Prioritization of the findings and incorporating them into a working project plan is a necessary second step. If any item is expected to persist past the grace period, cybersecurity engineers may need to develop specific counter measures and deploy them to prevent exploitation (i.e., block specific ports or protocols, turn off services, disconnect assets, etc.) or mitigate the impact if the weakness is exploited (i.e., tokenizing data fields, restricting access, white-listing, etc.). Ultimately creating, documenting and deploying a process for expediting integration, testing, and validation of patches and releases is crucial to limiting an agency’s exposure to risk.
3. Configuration Management
Configuration Management (CM) represents how well systems manage deployed asset configurations within their boundary as they are evaluated against the organization’s approved baseline. Agencies that strive to maintain CM consistency across their enterprise reduce their risk posture and make it much easier to discover variances or mistakes that could leave a system vulnerable.
On the FISMA Scorecard, there are two columns for the CM area of concern. The first represents agency High Value Assets(HVAs) and the other represents non-HVA systems.
Ideally, agency assets are deployed with an approved configuration that is current, secure, and manageable. The asset is assessed regularly and receives updates as needed, when needed. In the real world however, agencies reform, merge and migrate; systems and assets are retained past their useful lives and into obsolescence; the footprint of technology expands exponentially; and compliance standards keep rising. As a result, managing an agency's CM posture gets increasingly difficult.
An excellent resource to combat the challenges CM managers face is the Secure Technical Installation Guide, or STIG. “STIGs” originated at the Defense Information Systems Agency (DISA) and are a recent newcomer on the federal CM landscape. STIGs were developed to provide DoD cyber engineers with common, baseline configuration standards and assessment tools suited to support a wide variety of technologies. STIG tools are free, posted on-line, and very effective when integrated into agency CM Plans.
For immediate support, to resolve a high risk concern, or to learn more about improving your FISMA Scorecard, email our cyber experts at firstname.lastname@example.org
Learn more in our third series, releasing July 26, focusing on malware defense and maintaining a high scorecard rating standard.