PCIE Project: FISMA Evaluation Framework

1
PCIE Project FISMA Evaluation Framework

• CIO Council Symposium
• August 31, 2005

2
Background

• FISMA requires annual independent evaluations of
  information security programs by cognizant OIG
• Recent interest by Congress, OMB and GAO in an
  OIG evaluation framework
• Possible benefits cited include
• Improved effectiveness and efficiency
• Consistency and comparability
• Quality control

3
Framework Concepts

• Coverage of Federal enterprise-wide security
  program, defined by
• Statutory requirements
• OMB guidance
• NIST standards and publications
• Other sources
• Risk-based approach
• Scalability and Adaptability

4
Framework Concepts

• Multi-year strategy reflective of long-term
  CIO/OIG relationship
• Reliance on properly designed and implemented
  security controls
• Testing toolkit
• NIST PRISMA review methodology for assessing
  security program maturity being considered as an
  approach

5
Framework Programmatics

• Objective is to have framework in place for 2006
  FISMA Evaluations
• Initial strategy proposal to PCIE in September
  2005
• Encouraging broad OIG representation and
  involvement of other Federal entities in process