Skip to main content
SpringerLink
Log in

Information system security compliance to FISMA standard: a quantitative measure

  • Published:
Telecommunication Systems Aims and scope Submit manuscript

Abstract

To ensure that safeguards are implemented to protect against a majority of known threats, industry leaders are requiring information processing systems to comply with security standards. The National Institute of Standards and Technology Federal Information Risk Management Framework (RMF) and the associated suite of guidance documents describe the minimum security requirements (controls) for non-national-security federal information systems mandated by the Federal Information Security Management Act (FISMA), enacted into law on December 17, 2002, as Title III of the E-Government Act of 2002. The subjective compliance assessment approach described in the RMF guidance, though thorough and repeatable, lacks the clarity of a standard quantitative metric to describe for an information system the level of compliance with the FISMA-required standard. Given subjective RMF assessment data, this article suggests the use of Pathfinder networks to generate a quantitative metric suitable to measure, manage, and track the status of information system compliance with FISMA.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Bell, M. Z. (2005). Risky thinking—on threat analysis and business risk management. Albion Research Ltd., Dunrobin, Ontario, Canada. http://www.riskythinking.com/glossary/annualized_loss_expentancy.php, May 2005.

  2. Bishop, M. (2003). Computer security: art and science. Boston: Addison–Wesley.

    Google Scholar 

  3. Chen, C. M. (1998). Bridging the gap: the use of pathfinder networks in visual navigation. Journal of Visual Languages and Computing, 9(3), 267–286.

    Article  Google Scholar 

  4. Corman, T. H., Leiserson, C. E., Rivest, R. L., & Stein, C. (2001). Introduction to algorithms (2nd ed.) Cambridge: MIT Press.

    Google Scholar 

  5. Dearholt, D. W., & Schvaneveldt, R. W. (1990). Properties of pathfinder networks. In Schvaneveldt, R. W. (Ed.), Pathfinder associative networks: studies in knowledge organization (pp. 1–30). Norwood: Ablex.

    Google Scholar 

  6. Gerber, M., & von Solms, R. (2005). Management of risk in the information age. Computers & Security, 24(1), 16–30.

    Article  Google Scholar 

  7. Henry, K. (2004). Risk management and analysis. In Tipton, H. F., & Krause, M. (Eds.), Information security management handbook (5th ed., pp. 751–758). Boca Raton: Auerbach Publications.

    Google Scholar 

  8. INFOSEC Research Council (IRC) (1999). National scale INFOSEC research hard problems list, draft 21. http://www.infosec-research.org/documents, September 1999.

  9. Kudikyala, U. K. (2003). PFNET comparison tool (correlations.java) (Technical Report). Department of Computer Science, Mississippi State University, Starkville, MS, February 2003.

  10. Kudikyala, U. K. (2003). Requirements categorization tool (Technical Report). Department of Computer Science, Mississippi State University, Starkville, MS, February 2003.

  11. Kudikyala, U. K. (2003). Reducing misunderstanding of software requirements by conceptualization of mental models using Pathfinder networks. PhD thesis, Department of Computer Science, Mississippi State University, Starkville, MS.

  12. Kudikyala, U. K., & Vaughn, R. B. (2004). Understanding software requirements using Pathfinder networks. CrossTalk: The Journal of Defense Software Engineering, 17(5), 16–25.

    Google Scholar 

  13. Kurup, G. (1989). PFNET generation tool (geom_pfn) (Technical Report). Department of Computer Science, Mississippi State University, Starkville, MS, August 1989.

  14. Lin, X., Buzydlowski, J., & White, H. D. (2003). Real-time author co-citation mapping for online searching. Information Processing and Management, 39(5), 689–706.

    Article  Google Scholar 

  15. National Institute of Standards and Technology (2003). Security metrics guide for information technology systems, SP 800-55. Computer Security Division. http://csrc.nist.gov/publications/nistpubs/800-55/sp800-55.pdf, Gaithersburg, MD.

  16. National Institute of Standards and Technology (2004). Standards for security categorization of information systems, FIPS PUB 199. Computer Security Division. http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf, Gaithersburg, MD.

  17. National Institute of Standards and Technology (2006). Minimum security requirements for federal information and information system, FIPS PUB 200. Computer Security Division. http://csrc.nist.gov/publications/fips/fips200/FIPS-PUB-200-final-march.pdf, Gaithersburg, MD.

  18. National Institute of Standards and Technology (2006). Recommended security controls for federal information systems, SP 800-53 Rev. 1. Computer Security Division. http://csrc.nist.gov/publications/nistpubs/800-53-Rev1/800-53-rev1-final-clean-sz.pdf, Gaithersburg, MD.

  19. Ozier, W. (2004). Risk analysis and assessment. In Tipton, H. F., & Krause, M. (Eds.), Information security management handbook (5th ed., pp. 795–820). Boca Raton: Auerbach Publications.

    Google Scholar 

  20. Ross, R., Katzke, S., & Toth, P. (2005). The new FISMA standards and guidelines changing the dynamic of information security for the federal government. In 2005 IEEE military communications conference, Atlantic City, NJ, October 17–21 2005 (Vol. 2, pp. 864–870). New York: IEEE Press.

    Google Scholar 

  21. Rummel, R. J. (1976). Understanding correlation. Department of Political Science, University of Hawaii, Honolulu, HI. http://www.mega.nu/ampp/rummel/uc.htm.

  22. Shimonski, R. J. (2004). Risk assessment and threat identification. TechGenix, Ltd., St. Julians, Malta. http://www.windowsecurity.com/articles/Risk_Assessment_and_Threat_Identification.html, October 2004.

  23. Schvaneveldt, R. W. (1990). Graph theory and pathfinder primer. In Schvaneveldt, R. W. (Ed.), Pathfinder associative networks: studies in knowledge organization (pp. 297–299). Norwood: Ablex.

    Google Scholar 

  24. Schvaneveldt, R. W. (1990). Preface. In Schvaneveldt, R. W. (Ed.), Pathfinder associative networks: studies in knowledge organization (p. ix). Norwood: Ablex.

    Google Scholar 

  25. United States Department of Homeland Security (2007). Cyber security research and development. Broad Agency Announcement BAA07-09. http://www.hsarpabaa.com/Solicitations/BAA07-09_CyberSecurityRD_Posted_05162007.pdf.

  26. United States General Accounting Office (1999). Federal information system controls audit manual (FISCAM), Volume I financial statement audits (GAO/AIMD-12.19.6). http://www.gao.gov/special.pubs/ai12.19.6.pdf.

  27. United States General Accounting Office (1999). Information security risk assessment practices of leading organizations, a supplement to GAO’s May 1998 executive guide on information security management (GAO/AIMD-00-33). http://www.gao.gov/special.pubs/ai00033.pdf.

  28. United States General Accounting Office (2004). Information security: agencies need to implement consistent processes in authorizing systems for operations (Technical Report). Report to Congressional Requesters (GAO-04-376). http://www.gao.gov/cgi-bin/getrpt?GAO-04-376.

  29. United States Office of Management and Budget (OMB) (1996). Security of federal automated information resources, Appendix III to OMB Circular No. A-130. Management of Federal Information Resources. http://www.whitehouse.gov/omb/circulars/a130/a130.html, February 1996.

  30. United States Public Law 107-347-DEC. 17 2002, 116 STAT. 2899 (2002). Federal information security management act (FISMA). Title III of the E-Government Act of 2002. http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_public_laws&docid=f:publ347.107.pdf.

Download references

Author information

Authors and Affiliations

  1. U.S. Army Engineer Research and Development Center, CEERD-IS, 3909 Halls Ferry Road, Vicksburg, MS, 39180-6199, USA

    Elaine Hulitt

  2. Department of Computer Science and Engineering, Center for Computer Security Research, Mississippi State University, P.O. Box 9637, Starkville, MS, 39762, USA

    Rayford B. Vaughn

Authors
  1. Elaine Hulitt
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Rayford B. Vaughn
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Elaine Hulitt.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Hulitt, E., Vaughn, R.B. Information system security compliance to FISMA standard: a quantitative measure. Telecommun Syst 45, 139–152 (2010). https://doi.org/10.1007/s11235-009-9248-8

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11235-009-9248-8

Search

Navigation