Part I. Earn a High FISMA Rating to Reduce Risk of Exploitation
FISMA Series: Weakness Remediation and Hardware Managed Assets
Federal Information Security Modernization Act (FISMA) Scorecards are a crucial aspect of keeping federal agencies secure. These scorecards measure agency performance in different cyber “areas of concern” and identify weaknesses that risk being exploited by cybercriminals.
With many factors involved in determining a federal agency’s FISMA score, efforts to improve a score can be overwhelming. By leveraging these tips, organizations can start the process of identifying cyber gaps, making improvements, and raising their overall score.
1. Weakness Remediation
The first FISMA Scorecard area of concern is “Weakness Remediation”. This area represents how well an organization managed to resolve a body of reported weaknesses. The FISMA Scorecard Rating Engine examines recorded vulnerabilities and evaluates each one for:
The length of time each item has been open.
Any Plan of Action& Milestones (POA&M) entries associated with it.
The target remediation date.
The actual remediation date.
Other details that indicate the vulnerability remediation process quality.
The FISMA Scorecard Ratings Engine crunches the numbers and generates a rating value, with 96% and up being the desired target result.
Best practices for this area of concern are:
Making sure identified weakness belong to the system/program it is attributed to.
Recording weaknesses in a Remediation Plan (RP) and socializing the RP with the development team as soon as possible.
Identifying weaknesses that might persist past a given "grace period" and being ready to POA&M them immediately.
Creating realistic milestones within the POA&Ms
Giving your POA&Ms the daily care and feeding they deserve (or they will grow into monsters).
2. Hardware Managed Assets
When performing credentialed scans, any asset found not to have a well-defined corporate configuration should receive additional analysis. These systems should be immediately assessed as possible “rogue” systems with the risk of data exfiltration. Even if an asset is a required component or appliance, an unstable asset operating outside the corporate Configuration Management (CM) regime poses serious risk to the entire system and its data.
Best practices for addressing this area of concern include:
Developing an enterprise asset naming convention.
Performing fully credentialed scans as often as feasible and conducting an analysis of the findings.
Deploying and operating tool(s)that can alert engineers regarding “rogue” assets.
Not allowing hardware, operating systems, or appliances to linger to the point of obsolescence and high risk.
You'll learn more in our second and third series focusing on Software Managed Assets, Vulnerability Management, Configuration Management, Malware Defense and maintaining a high scorecard rating standard.
For immediate support, to resolve a high risk concern, or to learn more about improving your FISMA Scorecard, email our cyber experts at firstname.lastname@example.org