Board Report: 2014-IT-B-021 December 18, 2014
Our objectives for this audit were (1) to assess the Board of Governors of the Federal Reserve System’s (Board) processes to meet Federal Information Security Management Act of 2002 (FISMA) requirements for security categorization, certification and testing, security plans, and accreditation of its information systems and (2) to review how the Board compiles its FISMA documents and review activities within its automated workflow support tool. In addition, we analyzed the Board’s recently adopted risk management framework (RMF) document against National Institute of Standards and Technology (NIST) guidance. Appendix A provides details on our scope and methodology.
FISMA requires organizations to develop and implement an organization-wide information security program for the information and information systems that support the operations and assets of the organization, including those provided or managed by another organization, contractor, or other source. For non-national-security programs and information systems, agencies must follow NIST standards and guidelines.
The Board has developed and implemented an organization-wide information security program that is documented in the Board Information Security Program (BISP). This document outlines the purpose, scope, and key objectives of the Board’s information security program and describes the principles and practices the Board uses to secure information. The BISP is a collection of policies and procedures and supporting appendixes that provides guidance on each phase of a system’s information security life cycle.
Early guidance on the information security life cycle came from Office of Management and Budget (OMB) Circular A-130, Appendix III, Transmittal Memorandum #4, Management of Federal Information Resources, November 2000 (A-130), which established a minimum set of controls to be included in federal automated information security programs and assigns federal agency responsibilities for the security of automated information, along with the requirement for certification and accreditation.
In 2010, NIST Special Publication 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (SP 800-37) transformed the traditional certification and accreditation process into the six-step RMF. The revised process emphasizes the following:
SP 800-37 incorporates the traditional processes that the Board uses to authorize its information systems but expands the concept of risk management and promotes the NIST RMF. NIST’s RMF outlines steps of the information security life cycle as follows:
RMF step 1—categorize information system
RMF step 2—select security controls
RMF step 3—implement security controls
RMF step 4—assess security controls
RMF step 5—authorize information system
RMF step 6—monitor security controls
In September 2011, NIST issued Special Publication 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations (SP 800-137). SP 800-137 ties continuous monitoring into the NIST RMF with a target audience of individuals with implementation and operational responsibilities for mission/business processes, system development and integration, system and/or security management oversight, security control assessment and monitoring, and security.
Appendix B provides a list of additional guidance applicable for this review. The list is not intended to be all encompassing but rather to highlight the laws, regulations, and guidance that are current and relevant to this process.