To meet compliance requirements of the Federal Information Security Management Act (FISMA), federal agencies must tie planning, processes, and technology together to make effective use of agency resources while protecting the confidentiality, integrity, and accessibility of mission-critical information systems.
A 2006 survey of federal IT security professionals, performed by Cisco with Market Connections, highlighted two key barriers to meeting FISMA compliance: budget and existing security architectures. Appropriating the budget for IT security initiatives is often a challenge, whether for commercial or governmental entities. And the risks are high. Major financial loss and even loss of life may result from inadequate security measures within the U.S. government IT enterprise.
The other key barrier to FISMA compliance is the existing security architecture. The notion that security "fixes itself" is now a barrier to FISMA implementation and strong evidence of a reactionary approach to federal IT security. Typically, for example, as security fixes such as operating system patches are applied to the environment, security officials would patch the security vulnerability for a short-term fix. The long-term fix, addressing security issues at an architectural level that allows for interoperability among security solutions and across enterprises, has not been a priority.
Cisco views long-term secure information assurance as a top priority for federal agencies. This white paper begins with a summary of FISMA challenges and the risk management framework. It then explores three key areas for agencies to target-configuration management, access control, and incident response-to improve not only FISMA compliance but also overall information security. Lastly, this white paper addresses these three key FISMA areas with the Cisco Self-Defending Network solutions that are available to federal agencies.
The Self-Defending Network is Cisco's strategy to protect federal organizations from threats caused by both internal and external sources. This protection helps government organizations take better advantage of the intelligence in network resources, thus improving overall security while addressing FISMA requirements. Concerns that Cisco can address, helping to meet FISMA requirements, include unauthorized access, malicious code, scans and probes, improper usage, and denial-of-service attacks.