1. Risk Management: Contractor Responsibilities under the Federal Information Security Management Act of 2002 (FISMA) January 21, 2009

4. Contractor Risks: People Source: INFORMATION SECURITY: Improving Oversight of Access to Federal Systems and Data by Contractors Can Reduce Risk , GAO-05-362, p. 13, (General Accountability Office April 2005) (hereinafter “GAO Contractor Risks”) 3 Inadequate segregation of duties (e.g., software developer is the same individual who puts the software into production). Contractor or privileged users of federal data and systems who may not receive appropriate, periodic background investigations. Unauthorized personnel having electronic access to agency IT resources (including systems and data). Increased use of foreign nationals. Unauthorized personnel having physical access to agency IT resources (including systems, facilities, and data). People Risk description Category

5. Contractor Risks: Processes Source: GAO Contractor Risks, p. 13 4 Contractor or privileged users of federal data and systems may have ineffective patch management processes. Lack of effective compliance monitoring of contractors performing work off-site or privileged users of federal data and systems. Possible disclosure of agency-sensitive information to unauthorized individuals or entities. Failure by contractor or privileged users of federal data and systems to follow agency IT security requirements. Processes Risk description Category

6. Contractor Risks: Technology Source: GAO Contractor Risks, p. 13 5 Intentional or unintentional introduction of viruses and worms. Encryption technology may not meet federal standards. Incorporation of unauthorized features in customized application software. For example, a third-party software developer has the potential to incorporate “back doors,” spyware, or malicious code into customized application software that could expose agency IT resources to unauthorized loss, damage, modification, or disclosure of data. Technology Risk description Category

8. 2. Legislative history of FISMA and FISMA contractor provisions Despite FISMA Language, Primary Focus Has Been on Federal Agency Compliance 7

9. Legislative History 8 1987 Computer Security Act 1995 Paperwork Reduction Act 1996 Information Technology Reform Act 2000 Government Information Security Reform Act (GISRA) 2002 Federal Information Security Management Act (FISMA) 2008 S. 3474, FISMA Act of 2008 (2009)?

17. NIST Risk Management Framework Monitor Security Controls SP 800-37/SP 800-53A Categorize Information System FIPS 199/SP 800-60 R1 Select Security Controls FIPS 200/SP 800-53 R2 Supplement Security Controls SP 800-53 R2/SP 800-30 Document Security Controls SP 800-18 R1 Implement Security Controls e.g. , SP 800-70 R1 Assess Security Controls SP 800-53A Authorize Information System SP 800-37 RISK MANAGEMENT FRAMEWORK Security Life Cycle Start 16

18. Agency Grades Improving, But Still Lacking 17

24. 3. Agency difficulties in effectively obtaining contractor compliance with FISMA Wide Variance in How Agencies Handle Contractors 23

25. FISMA Applies Contractors, but How do we do it? No certainty about number and location of contractors Where? How Many? Inconsistent Contractual Requirements What have we agreed to do? Lack of Clear Guidelines How are we doing? Variance in how contractors manage risk 24 Could lead to information security risks…

37. Improving Contractor Compliance with FISMA Increase Oversight of Contractor Systems Improve Inventory of Contractor-Run Systems Contractually Impose Compliance 36

39. Information System Inventory: 22 of 25 IGs reported Inventory as 80 % complete Inventory Contractor-Run Systems 38 390 369 384 Not Categorized 168 205 334 Low 252 397 513 Moderate 295 236 121 High 1,105 1,207 1,105 Contractor Systems 229 331 585 Not Categorized 4,351 4,516 4,456 Low 3,264 3,174 2,497 Moderate 1,089 1,367 1,646 High 8,993 9,388 9,184 Agency Systems FY 2007 FY 2006 FY 2005 Systems/Impact Level

54. 4. Recent legislative initiatives to address shortcomings related to contractor compliance Finally Some Guidance? 53

61. 5. Tips for Contractors Some Considerations in an Uncertain Environment 60

63. 6. A Unified Approach to Compliance Integrate all state, national and international legal requirements into security and privacy program 62

64. Remember All of Your Security and Privacy Compliance Requirements GLBA HIPAA State International FISMA ISO NIST FIPS OECD AICPA Follow a UNIFIED APPROACH to Compliance 63

65. Thank You! M. Peter Adler Direct 202.220.1278 Mobile 202.251.7600 Direct Fax 800.684.2749 [email_address] Michael A. Hordell Direct 202.220.1232 Mobile 703.927.0769 Direct Fax 202.318.4527 [email_address] Questions?

66. Thank You Email Brian Dolan at [email_address] for a copy of today’s presentation or with questions for any of our speakers.