HUD develops best practices for FISMA reports

The Housing and Urban Development Department has produced best practices documents that it hopes to share with other agencies to improve the quality of their submissions to comply with security requirements. The products are policies and procedures, templates and instructions, frequently asked questions and answers, checklists, face-to-face training presentations, and feedback. The aim is to have best practices that all agencies can use and have the same quality starting point. They then can tailor their baselines for quality in their documents for the Federal Information Security Management Act. HUD, which achieved A+ on the fiscal 2006 FISMA report card, is using its information technology security program as a test bed for the best practices tools, said Patrick Howard, HUD’s chief information security officer. The best practices build on IT security guidelines from the National Institute of Standards and Technology. HUD and other agencies have added the next layer. “The best practices could make it easier for agencies to implement their security plan,” Howard said. “The documents have clear instructions, especially for people who don’t do security full time,” he said Dec. 6 at a meeting of the Information Security and Privacy Advisory Board. The board advises NIST on information security and privacy issues related to federal computer systems. “Agencies can begin to use these products immediately,” Howard said. “Results could be realized in 2008,” he added. The best practices apply to risk assessment, certification and accreditation testing, plans of action and milestones, and business impact and analysis. HUD also includes privacy impact assessments as part of documentation for FISMA. “We’re willing to share and see what others are doing. It should make FISMA documentation less onerous,” he said. Howard hopes that the NIST advisory panel will recommend that the Office of Management and Budget endorse the best practices products and mandate their use by agencies so the tools will be used consistently governmentwide to raise the quality of IT security information that agencies gather. Howard also would like NIST to assume ownership of the product set and maintain it. The documents also have a component for inspectors general. Brenda Abrams, IT audit manager at the IG’s office at the General Services Administration, worked with Howard at HUD for nine months on a risk assessment methodology for e-authentication. Abrams developed a template with instructions on a Microsoft Excel spreadsheet and boiled down explanations into simpler terms. The approach can provide more consistent audits of that area and a baseline for quality. Abrams plans to present her e-authentication methodology to the President’s Council on Integrity and Efficiency. “Our FISMA team will use this [tool] in 2008," Abrams said. "We haven’t been well-schooled in e-authentication."The best-practice IT security documentation products also can be used as a quality check for contractors or incorporated as part of a statement of work, she said.