Chapter 2. Protecting Government Systems

All of the issues pertaining to small and medium sized enterprises that are covered in Part 3 are equally applicable to government systems. Just as an enterprise needs to protect itself, its suppliers, and its customers, the government must protect its systems and its citizens from security threats, both physically and in cyberspace. Local and national governments cannot afford to have major crises such as interruption of operations that are based on computers, loss of confidential data, or theft of computing resources. Security incidents that are wellpublicized lead to a diminution of public trust and present an obstacle to promotion of e-government initiatives. Therefore, government’s first responsibility in terms of computer security is probably to “get its own house in order,” meaning that government agencies at all levels (national, provincial, and local) must protect the computer systems that they own and operate. These include the computer systems used by government agencies or ministries, including national defense authorities, law enforcement, public health and safety and emergency response agencies, and central banks. Governmentowned infrastructures that are dependent on computers may also include water systems, hydroelectric dams, the air traffic control system, and other facilities, depending on what is privatized and what is government owned.

Leadership and Organization

Computer security poses leadership and organizational challenges within government. For purposes of defining responsibilities within government, is computer security an economic, national security, or law enforcement problem?

• Canada has put much of the authority for cybersecurity in its Ministry National Defence.113

• In the United Kingdom, the Home Office, which is mainly a law enforcement ministry, has the lead.114

• The United States has put the issue within the newly created Department of Homeland Security, but consciously left the Computer Security Division of the National Institute of Standards and Technology under the Commerce Department.115

• Australia has created an E-Security Coordination Group to coordinate cybersecurity policy,, an interagency body chaired by the National Office for the Information Economy, which is an Executive Agency116 under the Minister for Communications, Information Technology and the Arts.

• Italy has established an Interministerial Committee for Responsible Use of the Internet, managed by the Department of Innovation and Technologies in the Prime Minister’s Office.

• In Japan, in 2000, the Prime Minister established a branch for IT security in the Cabinet Office in order to better coordinate security policy and measures among ministries and agencies. The branch is composed of experts from concerned ministries and agencies and from the private sector.117

The choice of where within government to place cybersecurity leadership can be significant. For example, the issues surrounding the sharing of information about cyber-security vulnerabilities and when to disclose vulnerabilities to the public require a balancing of interests. Placing responsibility for cyber-security within the defense ministry, which likely has a tradition of national security secrecy, may hamper information sharing and produce a policy that does not sufficiently promote public awareness. Since public-private partnership is a major component of what we believe to be the most effective computer security strategy, leadership for cyber-security may better be placed within an economic affairs agency or an intergovernmental body under the nation’s chief executive.

113 Canada’s Office of Critical Infrastructure Protection and Emergency Preparedness is a civilian organization operating within the Ministry of National Defence.

114 The U.K.’s Home Office has created a National Infrastructure Security Coordination Centre (NISCC) to coordinate critical infrastructure protection issues, provide alerts and attack response assistance, and facilitate public-private relationships to protect infrastructure. Within NISCC, there is a Computer Emergency Response Team, known as UNIRAS. An Electronic Attack Response Group (EARG) is also within NISCC to provide assistance to critical infrastructure organizations and government departments that suffer an attack. UNIRAS will provide an early warning and alert service to all UK businesses. The NISCC website (http://www.niscc.gov.uk) provides detailed information on the British government’s approach.

115 In some ways, the United States is a complex model of coordination, and may therefore be of limited utility as an example for developing countries. The Homeland Security Act of 2002 places responsibility for security of both government and private sector computer systems in the Department of Homeland Security, but the Federal Information Security Management Act of 2002 gives the Office of Management and Budget in the White House responsibility for overseeing security of government computer systems, and a Homeland Security Council in the White House also has responsibility for coordinating cybersecurity policy.

116 Under Australian law, Executive Agencies are non-statutory bodies established by the Governor-General when a degree of independence within the governmental structure is needed and when the functions of the agency require a government-wide approach. The head of an Executive Agency is appointed by, and directly accountable to a Minister, in this case the Minister for Communications, Information Technology and the Arts. See

http://www.noie.gov.au/Projects/confidence/Protecting/nat_agenda.htm.

117 See http://www.kantei.go.jp/foreign/it/security/2000/0519taisei.html.

But more important than the question of which agency or agencies should be given responsibility for computer security is the point that some national leadership should be designated to ensure that computer security will receive government-wide attention. There are important organizational questions to be considered when it comes to getting powerful existing ministries to address computer security. If the agency with cyber-security leadership is granted only the powers of persuasion and publicity, its ability to improve security in other ministries may be limited. Therefore, mechanisms should be considered that give the office charged with cyber-security leadership the authority to require other ministries and departments to address the security of their own systems. The ultimate power to require ministries to comply with computer security standards may be the authority to disapprove those government agencies’ computer purchases that do not meet security standards.

To some extent, the United States has taken this approach, giving its Office of Management and Budget in the Office of the President authority to approve or disapprove expenditure of funds for computer systems based on various considerations, including security. Other less drastic measures include requiring ministries and government agencies to conduct annual cyber-security audits and report the results to the cyber-security office. Whatever structures are chosen, leadership from the office of the president or prime minister will probably be needed to ensure that all departments are taking the issue seriously.

Another organizational challenge for government is the problem of human resources: Governments may find it hard to attract and retain well-qualified computer security personnel. Effective responses may include college scholarships for computer security studies, where the scholarships require graduates to work a certain number of years for the government. A short-term solution may be a secondment program with the private sector whereby corporate cyber-security experts are loaned to the government but paid in whole or in part by their private sector employers. For both developed and developing countries, the problem of human resources in cybersecurity may be a manifestation of the government’s broader difficulty in paying salaries competitive with the private sector in order to attract qualified, committed employees.

Developing a National Cyber-Security Strategy

The process of developing a “national cyber-security strategy” can be an effective means of deciding what a nation’s cyber-security vulnerabilities are, what the government’s responsibilities should be, and what policies and legal reforms need to be adopted. A national cyber-security strategy can also define the relationship of the government to the private sector. Here we will focus mainly on the elements of a cyber-security strategy that concern protecting the government’s own computers. Later on in Part 4, we will discuss the role of the government in improving the security of private sector systems. The U.S. strategy explains the reason for the distinction:

“In general, the private sector is best equipped and structured to respond to an evolving cyber threat. There are specific instances, however, where federal government response is most appropriate and justified. Looking inward, providing continuity of government requires ensuring the safety of [the government’s] own cyber infrastructure and those assets required for supporting its essential missions and services. Externally, a government role in cyber- security is warranted in cases where high transaction costs or legal barriers lead to significant coordination problems; cases in which governments operate in the absence of private sector forces; resolution of incentive problems that lead to under provisioning of critical shared resources; and raising awareness.”118

118 The National Strategy to Secure Cyberspace [United States], February 2003, p. ix, http://www.whitehouse.gov/pcipb/; http://www.dhs.gov/interweb/assetlibrary/National_Cyberspace_Strategy.pdf.

To date, the United States has had probably the most extensive and most transparent process of developing a national cyber-security strategy, but the same themes emerge in the initiatives of other countries and international bodies. While details of the process and of the resulting organizational structures and laws will vary from country to country, the process of developing a cyber-security strategy is similar to that which many countries have undertaken in developing national ICT strategies.119 Indeed, security is best seen as a component of a nation’s ICT strategy, and a cyber-security strategy can be developed with the same institutions and mechanisms used to develop a nation’s basic program for ICT development. Japan, for example, has incorporated cyber-security into its “e-Japan Priority Policy Program” of March 2001.120

Looking at the experiences of those countries that have developed national cyber-security strategies, some common elements or phases emerge:

1.Assessment of national vulnerabilities and issuance of a public report that conceptualizes the issue and raises awareness of policymakers and the public;

2.Creation of a leadership structure within the executive branch to oversee the development and implementation of policy;

3.Drafting of a detailed national plan based on dialogue with the private sector;

4.Adoption of legislation and guidelines addressing such questions as information sharing and accountability.

The first phase is to broadly assess vulnerabilities and raise awareness. Australia, for example, published the report “Australia’s National Information Infrastructure: Threats and Vulnerabilities” in 1997. The report, prepared by the Defence Signals Directorate, concluded that Australian society was vulnerable to significant disruption due to vulnerabilities in computer networks and that no formal structure existed for the coordination and implementation of government policy for protecting critical infrastructures.121 In the United States, to study the issue, the President appointed a board of corporate and government officials, known as the President’s Critical Infrastructure Protection Board in 1996. The board had no regulatory powers and was not a permanent body. It conducted hearings, interviews, and research and issued a report that described the problem and drew the attention of policymakers, corporate officials, the media and the public. The Board presented its report in October 1997, calling for closer cooperation between the private sector and the government and making numerous specific recommendations.

The second phase is to create some permanent structure within the executive branch to coordinate policy development and implementation. In Canada, for example, following the issuance of an assessment by an inter-departmental Critical Infrastructure Protection Task Force, the government created an Information Protection Coordination Centre to collect information, assess threats, and analyze incidents and an Office of Critical Infrastructure Protection and Emergency Preparedness to provide national leadership on critical infrastructure protection issues.122

In the United States, Presidents Clinton and Bush issued a series of executive directives establishing policymaking and oversight bodies within the executive branch of the federal government. The directives called for the development of a national plan for infrastructure protection.123 These Presidential orders did not give federal agencies authority over the systems of the private sector; instead, they emphasized public-private partnership and information sharing. Other leadership structures are discussed above under “Leadership and Organization.”

119 For descriptions of how various other countries developed their cyber-security strategies, see International Critical Information Infrastructure Protection Handbook, edited by Andreas Wenger, Jan Metzger and Myriam Dunn, Center for Security Studies and Conflict Research, Swiss Federal Institute of Technology (2002) http://www.isn.ethz.ch/crn.

120 http://www.kantei.go.jp/foreign/it/network/priority-all/index.html.

121 See International Critical Information Infrastructure Protection Handbook, edited by Andreas Wenger, Jan Metzger and Myriam Dunn, Center for Security Studies and Conflict Research, Swiss Federal Institute of Technology (2002), p. 18, http://www.isn.ethz.ch/crn.

122 Office of Critical Infrastructure Protection and Emergency Preparedness [Canada], http://www.ocipep.gc.ca/critical/nciap/disc_e.asp.

123 President Clinton issued Presidential Decision Directive (PDD) 63: Critical Infrastructure Protection, May 22, 1998, http://www.fas.org/irp/offdocs/pdd- 63.htm and PDD 62: Protection Against Unconventional Threats to the Homeland and Americans Overseas, May 22, 1998,

http://www.fas.org/irp/offdocs/pdd-62.htm. In the aftermath of September 11, 2001, President Bush signed two executive orders reallocating functions and creating new entities within the executive branch responsible for critical infrastructure protection. E.O. 13228, Establishing the Office of Homeland Security and the Homeland Security Council, October 8, 2001, http://fas.org/irp/offdocs/eo/eo-13228.htm; E.O. 13231, Critical Infrastructure Protection in the Information Age, October 16, 2001, http://www.ciao.gov/News/EOonCriticalInfrastrutureProtection101601.html.

The third phase involves the development of the strategy itself. As noted above, a national cybersecurity strategy can be a free-standing document or it can be part of the nation’s overall ICT strategy. A key to this process is dialogue between government and the private sector. In Japan, which has incorporated cyber-security into its overall ICT strategy, the process was carried out jointly by the “IT Strategy Headquarters” established within the Cabinet and the “IT Strategy Council,” made up of 20 opinion leaders, which was established in order to combine private- and public-sector strengths.124 In the United States, the cyber-security strategy is a free-standing document.

Development of the U.S. cyber-security strategy involved a lengthy process of public dialogue, managed by the staff of the National Security Council. The first version of the strategy was issued in 2000. A revised plan was published in draft in the fall of 2002 and in final form in February 2003.125 At all stages of the process, the U.S. plans were drafted on the basis of extensive consultations within government and between the government and the private sector. Ten public meetings were held in major cities around the country to gather input on the development of the strategy. Civil society groups, trade associations and corporations were consulted. Other national cyber strategies include that of Australia.126

Other strategy efforts have been undertaken at a regional level. The European Union has developed a cyber-security strategy not in a single document, but rather in a series of Communications and proposals from the Commission and a Council resolution, issued over a period of years.127 The Asia Pacific Economic Cooperation (APEC) forum has adopted a regional cyber-security strategy, drafted by the Telecommunications and Information Working Group (TEL) with active participation of the private sector.128 The Organization of American States (OAS) has undertaken regional work as well.129 In June 2003, the OAS General Assembly approved a resolution calling for development of an inter-American strategy against threats to computer information systems and networks.130 The Organization for Economic Cooperation and Development (OECD) has issued a set of Guidelines that constitute a roadmap for governments (and private enterprises) in developing cybersecurity strategies.131

124 “e-Japan Priority Policy Program,” March 29, 2001, http://www.kantei.go.jp/foreign/it/network/priority-all/index.html.

125 The final version is The National Strategy to Secure Cyberspace, Feb. 14, 2003:

http://www.dhs.gov/interweb/assetlibrary/National_Cyberspace_Strategy.pdf. The National Strategy to Secure Cyberspace was supplemented by The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets, released March 4, 2003, http://www.dhs.gov/interweb/ assetlibrary/Physical_Strategy.pdf. Both of these documents are implementing components of The National Strategy for Homeland Security, issued by the White House on July 16, 2002.

126 E-Security National Agenda [Australia], September 2001

http://www.noie.gov.au/projects/confidence/Protecting/nat_agenda.htm.

127 European Commission, Proposal for a Regulation of the European Parliament and of the Council - Establishing the European Network and Information Security Agency, Feb. 11, 2003, COM(2003) 63 final, 2003/0032 (COD),

http://europa.eu.int/information_society/eeurope/action_plan/safe/documents/nisa_en.pdf; Council of the European Union, Council Resolution of 28 January 2002 on a common approach and specific actions in the area of network and information security, (2002/C 43/02),

http://www.europa.eu.int/information_society/eeurope/action_plan/safe/netsecres_en.pdf; European Commission, Proposal for a Council Framework Decision on attacks against information systems, Apr. 19, 2002, COM(2002) 173 final, 2002/0086 (CNS), http://europa.eu.int/ eurlex/en/com/pdf/2002/com2002_0173en01.pdf; European Commission, Communication from the Commission to the Council, the European Parliament, the European Economic And Social Committee and the Committee of the Regions - Network and Information Security: Proposal for a European Policy Approach, June 6, 2001, COM (2001) 298 final, http://europa.eu.int/information_society/eeurope/news_library/new_documents/index_en.htm; European Commission, Communication from the Commission to the Council, the European Parliament, the Economic and Social Committee and the Committee on the Regions - Creating a Safer Information Society by Improving the Security of Information Infrastructures and Combating Computer-related Crime, Jan. 26,

2001, COM(20000) 890 final, http://europa.eu.int/ISPO/eif/InternetPoliciesSite/Crime/CrimeCommEN.html.

128 Available at: http://www.apecsec.org.sg/content/apec/apec_groups/working_groups/telecommunications_and_information.html. In October 2002, APEC Ministers underscored the importance of protecting the integrity of APEC's communications and information systems while allowing the free flow of information. In responding to this challenge, they supported the TEL cyber-security strategy and instructed officials to implement it.

http://203.127.220.67/apec/ministerial_statements/annual_ministerial/2002_14th_apec_ministerial.html#policies.

129 The OAS’s initial work focused on cybercrime. See material compiled at http://www.oas.org/juridico/english/cyber_experts.htm.

130 Development of an Inter-American Strategy to Combat Threats to Cybersecurity, AG/RES. 1939 (XXXIII-O/03) (Resolution adopted at the fourth plenary session, held on June 10, 2003)

http://www.oas.org/main/main.asp?sLang=E&sLink=http://www.oas.org/documents/eng/documents.asp.

131 Organization for Economic Cooperation and Development, OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security, July 25, 2002, http://www.oecd.org/pdf/M00034000/M00034292.pdf; “Implementation Plan for the OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security,” Organization for Economic Cooperation and Development, Working Party on Information Security and Privacy, DSTI/ICCP/REG(2002)6/FINAL, Jan. 21, 2003, http://www.olis.oecd.org/olis/2002doc.nsf/LinkTo/dsti-iccp-reg(2002)6-final.

A consistent set of themes emerges from these national, regional and international cyber-security strategies:

•Public-Private Partnership: Effective cybersecurity requires a public-private partnership.132 The private sector has primary responsibility for ensuring the security of its systems and networks.

•Public Awareness: “Participants in a network, whether as developer, owner, operator, or individual user, must be aware of the threats to and vulnerabilities of the network and assume responsibility for protecting that network according to their position and role.”133

•Best Practices, Guidelines and International Standards: Cybersecurity should be based on the growing number of voluntary, consensus-based standards and best practices being developed through international standards bodies and cooperative institutions. These standards are crucial guides to governments’ internal policies. Governments need not and should not mandate technical standards for the private sector.134

•Information Sharing: It is widely recognized that cyber-security efforts have been hampered by system operators’ reluctance to disclose vulnerabilities and attacks. Sharing of information should be encouraged among private sector entities, between the private sector and the government, and internationally.

•Training and Education: The APEC Strategy states, “The development of the human resources is critical to the success of efforts to improve security. In order to achieve cybersecurity, governments and corporations must have personnel trained in the complex technical and legal issues raised by cybercrime and critical infrastructure protection.

•Respect for Privacy: ICT networks transmit and store communications and personal information of the most sensitive character. Privacy is a crucial component of trust in cyberspace and cybersecurity strategies must be implemented in ways compatible with the essential values of a democratic society.135

•Vulnerability Assessment, Warning and Response: As the APEC strategy puts it: “Successfully combating cybercrime and protecting information infrastructures depends upon economies having in place systems for evaluating threats and vulnerabilities and issuing required warnings and patches. By identifying and sharing information on a threat before it causes widespread harm, networks…can be better protected.”136

The United States Strategy calls for the creation of a National Cyberspace Security Response System to rapidly identify attacks on computer networks.

130 Development of an Inter-American Strategy to Combat Threats to Cybersecurity, AG/RES. 1939 (XXXIII-O/03) (Resolution adopted at the fourth plenary session, held on June 10, 2003)

http://www.oas.org/main/main.asp?sLang=E&sLink=http://www.oas.org/documents/eng/documents.asp.

131 Organization for Economic Cooperation and Development, OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security, July 25, 2002, http://www.oecd.org/pdf/M00034000/M00034292.pdf; “Implementation Plan for the OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security,” Organization for Economic Cooperation and Development, Working Party on Information Security and Privacy, DSTI/ICCP/REG(2002)6/FINAL, Jan. 21, 2003, http://www.olis.oecd.org/olis/2002doc.nsf/LinkTo/dsti-iccp-reg(2002)6-final.

132 See, e.g., APEC, “Statement on the Security of Information and Communications Infrastructure,” Fifth APEC Ministerial Meeting on Telecommunications and Information Industry, Shanghai, China, May 29-30, 2002, http://www.apecsec.org.sg/virtualib/minismtg/telminAnnexB_SICI.html. Canada’s National Critical Infrastructure Assurance Program Discussion Paper emphasizes public/private sector interaction and cooperation.

http://www.ocipep.gc.ca/critical/nciap/disc_e.asp (Draft), Nov. 1, 2002. Article 7 of Japan’s Basic Law on the Formation of an Advanced Information and Telecommunications Network Society specifies that the private sector is to take the lead in forming an advanced information and telecommunications network, with the state and local governments implementing supportive measures to ensure the private sector can exert its full potential. Basic Law on the Formation of an Advanced Information and Telecommunications Network Society, Law No. 144 of 2000, Nov. 2000, http://www.kantei.go.jp/foreign/it/it_basiclaw/it_basiclaw.html.

133 APEC Cybersecurity Strategy, http://www.apecsec.org.sg/content/apec/apec_groups/working_groups/telecommunications_and_information.html. See also, Council of the European Union, Council Resolution of 28 January 2002 on a common approach and specific actions in the area of network and information security, (2002/C 43/02), http://www.europa.eu.int/information_society/eeurope/action_plan/safe/netsecres_en.pdf. Awareness is a major theme as well of the OECD guidelines and the work of the G8.

134 For example, while the U.S. strategy addresses both government systems and privately owned and operated infrastructures, it concludes that the government should not dictate security standards for private sector systems. The National Strategy to Secure Cyberspace, February 2003, pp. 11, 15, http://www.whitehouse.gov/pcipb/; http://www.dhs.gov/interweb/assetlibrary/National_Cyberspace_Strategy.pdf.

135 Principle 5 of the OECD Guidelines is “Democracy.” OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security, July 25, 2002, http://www.oecd.org/pdf/M00034000/M00034292.pdf. Protection of privacy and civil liberties is a guiding principle of the U.S. strategy. The National Strategy to Secure Cyberspace [United States], February 2003, p. 4, http://www.whitehouse.gov/pcipb/; http://www.dhs.gov/interweb/ assetlibrary/National_Cyberspace_Strategy.pdf.

136 APEC Cybersecurity Strategy, http://www.apecsec.org.sg/content/apec/apec_groups/working_groups/telecommunications_and_information.html.

•International Cooperation: Governments should work together to develop compatible cybercrime laws and law enforcement cooperation and should work through international organizations to facilitate dialogue and partnerships among international public and private sectors focused on protecting promoting a global “culture of security.”137

The process of developing and implementing a cyber-security strategy for a government has many of the same elements as the development and implementation of a computer security program for a corporate enterprise:

• Assess vulnerabilities.

• Raise awareness.

• Designate program leadership to serve as policy coordinator and for oversight.

• Develop a risk management program.

• Adopt appropriate security guidelines.

• Structure accountability.

• Periodically reassess and continuously improve.

The fourth phase (focusing for the moment on the security of government systems) is the promulgation of guidelines or the enactment of any necessary laws addressing cyber-security issues. Some countries, such as Japan and Italy, have approached this issue through guidelines. In July 2000, the IT Security Promotion Committee at the Cabinet level issued “Guidelines for IT Security Policy,” requiring all offices and ministries by FY2003 to implement an assessment of IT security policies and to take other steps to raise the level of security. In March 2001, Japan’s Inter- Ministerial Council for Promoting the Digitization of Public Administration issued security guidelines for all IT government procurements.138 In the United States, where the Congress concluded that the Executive Branch was not adequately improving the security of government computer systems, Congress adopted the Federal Information Security Management Act (FISMA) of 2002, strengthening requirements and oversight mechanisms within the federal government.139 A similar approach has been followed in Tunisia, where the government in 2002 adopted security regulations that require government agencies to perform an annual security audit of their computer systems.

Structuring Responsibility: Implementing a Cyber-Security Strategy for Government Systems – The U.S. Approach

In the United States, policy for addressing the security of the federal government’s own information systems is defined in greater detail and implemented through the Federal Information Security Management Act, adopted in 2002.140 The law illustrates some of the ways in which accountability can be built into implementation of cyber-security across multiple agencies.

The stated purpose of FISMA is to provide government-wide management and oversight of computer security, including coordination of information security efforts throughout the civilian, national security, and law enforcement agencies, and to provide for the development and maintenance of minimum controls required to protect government information systems. The law acknowledges that commercially developed products offer dynamic and effective computer security solutions for the government. It leaves to individual agencies the selection of specific technical hardware and software security solutions from among commercially developed products.

137 International cooperation has been a major theme of the G8, see Presidents’ Summary: Meeting of G8 Ministers of Justice and Home Affairs, Paris, May 5, 2003, http://www.g8.utoronto.ca/justice/justice030505.htm, and of the OECD as well.

138 http://www.kantei.go.jp/foreign/it/network/priority-all/7.html. Italy’s Minister for Innovation and technologies issued “The government's guidelines for the development of the information society” in June 2002.

http://www.innovazione.gov.it/eng/documenti/linee_guida_eng.pdf. The audit office of New South Wales, Australia has issued a checklist for governments called “Implementing e-Government - Being Ready,” http://www.audit.nsw.gov.au/guides-bp/e-govt-BPG.pdf, which includes a chapter on security.

139 Federal Information Security Management Act, Title III of the E-Government Act of 2002, Pub. Law 107-347, http://csrc.nist.gov/policies/ FISMAfinal.pdf. FISMA is discussed further below.

140 Federal Information Security Management Act, Title III of E-Government Act of 2002, Pub. Law 107-347, http://csrc.nist.gov/policies/FISMA-final.pdf and http://www.fedcirc.gov/library/legislation/FISMA.html. Parts of FISMA are codified in Titles 40 and 44 of the United States Code.

141 Title 44, United States Code, section 3544.

FISMA requires the head of each agency to develop, document, and implement an agency-wide Information Security Program for the information systems that support the operations of the agency, including those provided or managed by contractors.141 The program must include:

•Periodic assessments of the risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information or systems.

•Policies and procedures that:

o are based on the risk assessments;

o cost-effectively reduce information security risks; o ensure that information security is addressed throughout the life cycle of each agency information system; and

o ensure compliance with OMB requirements and security standards.

•Subordinate plans for providing adequate information security for networks, facilities, and systems or groups of information systems.

•Security awareness training for agency personnel, contractors, and other users of information systems that support the operations of the agency.

•Periodic testing and evaluation (not less than annually) of the effectiveness of information security policies, procedures and practices, which includes testing of management, operational, and technical controls.

•A process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in the information security policies, procedures, and practices of the agency.

•Procedures for detecting, reporting, and responding to security incidents.

•Plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency.

Each agency is required to submit an annual report to the Director of the Office of Management and Budget (OMB, part of the Executive Office of the President) and to Congressional committees on the adequacy and effectiveness of information security policies, procedures and practices and on compliance with each element of the required agency-wide Information Security Program. Additionally, the adequacy and effectiveness of information security policies, procedures, and practices must be addressed in a number of other plans and reports, including those relating to annual agency budgets, program performance, financial management, and internal accounting and administrative controls. Any deficiencies in policies, procedures, and practices that are identified must be reported to OMB and the Congress.142

Annually, each agency must have an independent security evaluation performed to determine the effectiveness of its information security program and practices. Each evaluation must include testing of the effectiveness of information security policies, procedures and practices of a representative subset of the agency’s information systems, and an assessment of compliance with relevant information security policies, procedures, standards, and guidelines.143

FISMA requires the Director of OMB to oversee the development and implementation of all information security policies and practices. FISMA also vests authority in the National Institute of Science and Technology to develop standards and guidelines for minimum information security requirements144 and requires the Director of OMB to oversee agency compliance with these requirements and to review at least annually agency information security programs. The OMB Director is charged with reporting annually to Congress on the agencies’ performance.145

142 Id.

143 Title 44, United States Code, section 3545.

144 Title 40, United States Code, section 11331.

145 Title 44, United States Code, section 3543.