James Litchko and the DGI FISMA Training Program

By:
Posted: February 12, 2018
Category: Cyber Security , Training





FISMA History


The Federal Information Security Management Act (FISMA) was enacted in 2002 as part of the E-Government Act of 2002.  The purpose of this legislation was to spotlight the importance of information security to the security interests of the country.  The Act requires each federal agency to develop, document and implement an agency-wide program to provide IT security for the information systems supporting the operations and assets of the agency including those provided by contractors.  Since 2009, Digital Government Institute has provided FISMA training seminars 2-3 times per year.


 

There has never been a time when security has been more important; to not just government, but society itself. In our data-driven, globally connected world, economic security is national security. Government performs multiple functions and in doing so, must appropriately protect its systems and data. It must also work with the private sector in critical infrastructure sectors. Given the incredible rate of technological advances and the consumerization of IT, government is struggling to keep up.


 


One security professional who has lived through decades of IT/Security evolution is Jim Litchko. Throughout his career, including time spent in the Navy and at NSA, as well as working in the private sector (now as a renowned consultant), he has always been on the cutting edge. Mr. Litchko created (and taught) the first graduate computer security course at Johns Hopkins. A few times each year, he leaves his home in sunny Portugal and heads to DC to share his expertise with attendees at DGI-sponsored FISMA training.  Mr. Litchko’s goal is to decrease the complexity of security. Given the number of returning attendees, he must be achieving that goal. The training classes include students new to the subject as well as those with 30+ years of experience.



Important Documents


Two important documents covered in the course are NIST Special Publication 800-53 Rev. 5 (Draft) Security and Privacy Controls for Information Systems and Organizations[1] and NIST Special Publication 800-37 Rev. 2 (Draft) Risk Management Framework for Information Systems Organizations: A System Life Cycle Approach for Security and Privacy (Discussion Draft)[2]—both of which have their next iterations delayed “due to the full integration of privacy-related material”[3] still being in process.[4] He uses the NIST Cybersecurity Framework[5] as an outline for preparing System Security Plans. He prefers one document for Operations and Security—a Security Operations Plan; reasoning that they have the same goals and people should recognize the connection. The course will also cover Metrics,[6] relevant Frameworks (e.g., Risk Management Framework, System Development Life Cycle, System Security Engineering Framework, etc.), DHS activities (e.g., Automation such as Continuous Diagnostics and Mitigation,[7] as well as Trusted Internet Connections), and Cloud Computing Federal Risk and Authorization Management Program—FedRAMP.


 


The course has been offered for nine years.  The materials are regularly refreshed and guest speakers from NIST and DHS provide the latest . Last year’s Cybersecurity Executive Order seemed to provide a key ingredient previously missing—accountability at the Executive level within an Agency. Time will tell whether security has improved as result of that enticement. Agency reports are due to Congress and the Government Accountability Office by March 1, 2018.[8]


 


For more information, visit www.digitalgovernment.com


[1] https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/draft.

[2] https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/draft.


[3]Planning Note (1/8/2018): Due to the full integration of privacy-related material into key NIST publications such as SP 800-37 and SP 800-53, the original production schedule has been delayed.  NIST will be working with the Office of Management and Budget (OMB) to establish a new schedule of deliverables for all publications undergoing updates and will publish that schedule as soon as it is available.” https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/draft; https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/draft.    


[4] Planning Note from January 8, 2018 had not been updated as of February 7, 2018.

[5] https://www.nist.gov/cyberframework/draft-version-11.


[6] FY 2018 CIO FISMA Metrics Version 1.0 31 October 2017 https://www.dhs.gov/sites/default/files/publications/FY%202018%20CIO%20FISMA%20Metrics_V1_Final%20508.pdf.


[7] https://www.dhs.gov/cdm.

[8] M-18-02 MEMORANDUM FOR THE HEAADS OF EXECUTIVE DEPARTMENTS AND AGENCIES Fiscal Year 2017-2018 Guidance on Federal Information Security and Privacy Management Requirements (October 16, 2017) https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2017/M-18-02%20%28final%29.pdf.






Share