How I Do the “FISMA Thang”

Posted December 18th, 2007 by

No big surprise, I’m a contractor who operates outsourced government IT systems. As a result, I get assessed and audited more than anybody else in the world (yes, hyperbole added). Anyway, I’m going to talk about what I give to my customers in the spirit of “object reuse”, it might come in handy for other people in the future.

I provide the following items to our account teams:

  • Pre-sales: Document explaining how the operations group handles security that can be dropped into a proposal. This is freely-available because it doesn’t open up the cookie jar too much, and proposals to the government are available with the right requests. Modified version is included below.
  • Pre-sales: Traceability matrix to delineate controls provided as part of service. This is released only to the capture/account team.  This is a work-in-progress because it’s a big bite to chew.
  • Post-sales: Security controls document covering shared controls that can be dropped into a system security plan. You can get this in electronic form with a signed NDA.
  • Post-sales: Addendum to Security Controls Document that describes the specifics on hybrid controls for your system.
  • Post-sales: Auditor binder with all local policies and evidence for common controls. You can look but you can’t take it with you.

This is the text of the pre-sales security description, remember it’s written for a general-purpose audience:

Security of the Government IT systems and the data at the $FooCorp Operations Center requires cooperation between the Government and $FooCorp for program-specific and hybrid controls not provided by either the Government (security governance, Exhibit 53 filing) or the Operations Center (physical security, personnel security, media protection).

The hosting, monitoring, and management services provided by the state-of-the-art $FooCorp Operations Center are specially designed, configured and managed to meet the special IT security requirements of our Federal customers. The facility supports a FIPS-199 and FIPS-200 moderate control baseline and provides a common controls subset of SP 800-53 for all customers. The Data Center, NOC, and SOC have been audited numerous times by a wide variety of client agencies and their Inspectors General in support of Security Test and Evaluation, Certification and Accreditation, and annual FISMA audits.

Upon client request, $FooCorp can provide the Government with a Security Controls Document that describes the security controls, primarily physical security, in place at the Operations Center. The SCD is designed to be a “drop-in” augmentation for the customers’ system security plans. The Operations Center staff also maintains an audit binder that is for on-premises viewing by auditors, C&A staff, or security testers.

Now, taking a look at what I have, basically I’m saying the following points:

  • Security controls are a joint responsibility between the Government and $FooCorp.
  • I have common controls to save you time and money, you can get the full details after you hire us.
  • I have many other customers that are satisfied with my controls.

What I have on my wish-list for the future:

  • Being able to provide verification and validation of my common security controls. Yes, a SAS-70 properly scoped fits in here, but I don’t have the budget to make it happen and it will end up being a duplication of effort in most cases where the customer wants to do their own assessment.
  • Being able to reuse evaluation results from one customer to to share with other customers. So far, I haven’t gotten any traction to do this because everybody wants to own their assessment results even though it’s a shared control.

Similar Posts:

Posted in Outsourcing, The Guerilla CISO, What Works | 3 Comments »

3 Responses

  1.  halon73 Says:

    GOLD I TELL YA! GOLD! Nice! As always you are wiser and more under appreicated than you’ll ever know.

  2.  Vlad the Impaler Says:

    …and need we add… underpaid?



  3.  Cloud Computing and the Government | The Guerilla CISO Says:

    […] have a huge set of common controls that you get the documentation to.  It will have my name on it, but you don’t have to spend the money to get it […]

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Visitor Geolocationing Widget: