A Matter of Compliance

By Stacey McDaniel

These days, "compliance" is a hot topic, and nowhere more so than within the federal government. Although the term "compliance" means something different to every agency, and to the various stakeholders within it, the intent of multiple regulations across industries has a core purpose: to ensure the security, the availability, and ultimately the integrity of government information. The sheer number of regulations and the varying levels of policy and technical guidance are a challenge. Agencies are best served by recognizing that the key to success is applying sound management techniques and good governance to their organizations. Compliance will be a by-product of these actions, however, for agencies navigating the road to compliance, it is important to make a distinction between IT compliance and regulatory compliance. In this article, we will discuss a strategic path that can help an agency deal with IT compliance and, in keeping with the notion of sound management and a good governance regulatory compliance as well.

Regulatory compliance
These are policies that are externally mandated. For example, the Federal Information Security Management Act of 2002 (FISMA) is mandated by Congress and enforced by the Office of Management and Budget (OMB). Here are more policies that many federal agencies must comply with that require some degree of IT contribution:

• Clinger-Cohen Act of 1996
• Computer Fraud and Abuse Act of 1986
  Electronic Communications Privacy Act of 1986 Executive Order 13011, "Federal Information Technology," 61 FR 37657
• Paper Work Reduction Act of 1995
• Privacy Act of 1974
• Homeland Security Presidential Directive 7 (HSPD-7) "Critical Infrastructure Identification, Prioritization, and Protection"
• OMB Circular A123, Management Accountability and Control, June 21, 1995 

Most of these external regulations lack detailed guidance on how to actually achieve compliance. For example, FISMA regulations instruct agencies to meet certain IT security standards, but provide little instruction on how to achieve compliance. This is where various frameworks come into play. Frameworks such as ISO-17799, ITIL and Special Publication (SP) 800-53 Recommended Security Controls for Federal Information Systems help by providing specific instructions for agencies trying to achieve regulatory compliance.

Internal IT compliance
In addition to all of the externally mandated regulations, agencies should not lose sight of the importance of establishing and maintaining internal IT policies that designate exactly how their IT infrastructure should function. On the policy side, this can include having internal documents governing privacy, email use, password management, and more. Internal controls should also be in place to regulate things like access control, incident management and recovery, and storage solutions.
 
A strategic approach
One of the major goals of external regulations is to assure that organizations demonstrate "due care" in providing appropriate IT controls that assure the security and privacy of information assets and protect them from damage or misuse. As we have mentioned, external regulations are often vague, and must be aligned with internal IT polices and industry best practices in order to achieve due care and satisfy auditors that compliance requirements have been met.
 
Working towards complying with any regulation, whether it is external or internal, requires an ongoing pattern of determining policies, identifying changes needed, and making the changes. Here are some strategic steps your agency can take:

1. Determine which IT policies you want to adhere to (these will likely be policies that will also help you meet external regulations, such as FISMA).

2. Inventory all IT assets, including hardware and software. This will help you identify everything you have, so you can determine what needs to be done to protect it.

3. Assign a level of risk that indicates how mission critical each system is so you can apply appropriate levels of security. This can be as simple as "high," "medium," and "low," with "high" indicating a mission critical system (deserving of maximum security levels), and "low" meaning that, should it go down, it would be inconvenient but would pose no major disruption (minimum security).

4. Determine the current compliance status of your systems.

5. Turn to industry best practices for recommendations (which set of best practices you choose will depend upon the regulations you are trying to comply with). Commonly used best practices come from the following sources:

• Center for Internet Security (CIS) configuration benchmarks, Level 1 or Level 2
• Sun Microsystems best practices
• National Institute of Standards and Technology (NIST) is now just completing all of its guidelines
• IT Infrastructure Library (ITIL(r)) an exceptionally well-known international approach to managing IT services

6. Upon creation of your policies, make sure the policies are communicated to employees.

7. Determine compliance status across the agency. For example, to determine compliance with a password policy, run a query of all workstations to look for those not in compliance.

8. Certification and Accreditation (C&A) -- The OMB defines requirements for certifying and accrediting the security of information systems for processing sensitive information. All security controls in place for operational systems must be reviewed, then certified and accredited every three years. C&A is a slow, manual process, but is required of every agency.

9. Quarterly FISMA status reports must be filed with the OMB.

10. If a system or machine is discovered to be non-compliant, a Plan of Action Milestone (POAM) should be developed. This involves identifying the machine, reporting the problem, noting what needs to be done, and when it will be fixed.

11. Perform a gap analysis. With regards to benchmarks you have set for your agency, determine where your systems currently are, and where they need to be.

Behind in security
Each year, Congress releases a report card that reveals the grades given to each of the 24 Federal agencies with regards to the agency's computer security status. The latest report card was released in March 2006, and the results were not good. For the second year in a row, the federal government as a whole earned a D+, and eight agencies received failing marks. Considering all of the regulations designed to improve security within the government, why has there been no marked improvement? Here are a couple of possible reasons:

• Shortage of funds: Many agencies are finding that budget cuts have left them without excess dollars to spend on IT security and compliance, yet they must attend effectively to both. In some cases, large proportions of an agency's security funds are being to used pay for things like hiring independent contractors to write FISMA-required reports as part of the C&A process. Such expenditures leave little money for implementing actual security measures.
• Overwhelming: While it is difficult to manage compliance with any one policy, it is overwhelming to manage compliance with ALL policies. Achieving effective, simultaneous compliance with numerous policies can be intimidating, and the process can be tedious. The time and manpower necessary for understanding requirements, collecting and analyzing data, and delivering meaningful, timely reports are at a premium.
  In many cases, this work is all done manually, and any time a change in the policy is made, the agency must manually modify its systems and processes to comply with the new version.

Conclusion
Federal agencies face all kinds of compliance issues. A shortage of manpower and funds, coupled with the sheer number of regulations, has left many agencies struggling with IT security. The good news is that most regulations are focused on the same desired result -- securing the IT environment. This means it is important for an agency to start by building a strong foundation, built on good internal IT controls and policies. Only then will an agency find success with external regulatory compliance.

Stacey McDaniel has been writing about high-tech issues for more than six years.