Continuously Monitoring the Cyber-Levee: An Introduction to FISMA Focus
In September 2005, the Center for Regulatory Effectiveness’ CyberSecure .US project published a widely reprinted article, “What will you do when the cyber-levee breaks?” The article explained that getting ready to cope with the aftermath of a disaster is an essential part of security preparedness. CRE’s key recommendation, one that is also applicable to preventing a disaster, was for the development of an interactive cybersecurity forum. As the article stated,
A broader initiative is needed for the second step in preparing for the day you would prefer occurs on someone else’s watch. It’s good to be able to bounce ideas off other people, particularly off people who have different backgrounds, perspectives and responsibilities.
A forum should be instituted that includes representatives from industry, academia, think tanks and all levels of government. … Instead of seeking “solutions,” the forum should focus on ventilating ideas. Irrespective of whether any consensus emerges, the very process of discussing concerns, views and suggestions would prove valuable to the participants.
FISMA Focus is a realization of many of the article’s goals albeit with one difference. Instead of concentrating on post-disaster planning, FISMA Focus centers on compliance with NIST and OMB information security requirements. The forum, however, remains true to the ideas expressed in the article, creating an interactive resource that allows stakeholders from across the information security community to discuss federal cybersecurity issues and ideas.
One advance for FISMA Focus beyond what was imaged in 2005 is development of Interactive Public Dockets (IPDs). CRE’s IPD design and development team has created an internet forum that combines the attributes of structure, ease of use, and ability to post detailed, technical information in various formats.
To ensure ease of use and to preserve user anonymity where such anonymity is desired, FISMA Focus requires no registration. Users are free to identify themselves or not in any posting. CRE will screen all user-submitted posts for spam or other inappropriate material (obscenity, etc.) but we do not discriminate against any viewpoint. To the contrary, CRE welcomes and needs diverse perspectives on federal cybersecurity issues.
The initial focus of the forum will be on FISMA continuous monitoring requirements due to both the importance of the topic to the cybersecurity community and the imminent publication of the first draft of NIST Special Publication 800-137, Guide for Continuous Monitoring of Information Systems and Organizations. FISMA Focus includes a discussion forum dedicated to SP 800-137 issues from publication of the initial draft through various revision stages to finalization and use of the document. CRE will be posting key stakeholder comments and welcomes discussion of the comments. Users will, of course, be able to post whatever other comments and materials they think worthy of discussion.
CRE has created FISMA Focus to spur discussion of federal information security issues with the aim of improving the development, operation and management of our nation’s cybersecurity infrastructure. The success of this project will depend on our readers. We look forward to your participation.