Abstract
To ensure that safeguards are implemented to protect against a majority of known threats, industry leaders are requiring information processing systems to comply with security standards. The National Institute of Standards and Technology Federal Information Risk Management Framework (RMF) and the associated suite of guidance documents describe the minimum security requirements (controls) for non-national-security federal information systems mandated by the Federal Information Security Management Act (FISMA), enacted into law on December 17, 2002, as Title III of the E-Government Act of 2002. The subjective compliance assessment approach described in the RMF guidance, though thorough and repeatable, lacks the clarity of a standard quantitative metric to describe for an information system the level of compliance with the FISMA-required standard. Given subjective RMF assessment data, this article suggests the use of Pathfinder networks to generate a quantitative metric suitable to measure, manage, and track the status of information system compliance with FISMA.
Similar content being viewed by others
References
Bell, M. Z. (2005). Risky thinking—on threat analysis and business risk management. Albion Research Ltd., Dunrobin, Ontario, Canada. http://www.riskythinking.com/glossary/annualized_loss_expentancy.php, May 2005.
Bishop, M. (2003). Computer security: art and science. Boston: Addison–Wesley.
Chen, C. M. (1998). Bridging the gap: the use of pathfinder networks in visual navigation. Journal of Visual Languages and Computing, 9(3), 267–286.
Corman, T. H., Leiserson, C. E., Rivest, R. L., & Stein, C. (2001). Introduction to algorithms (2nd ed.) Cambridge: MIT Press.
Dearholt, D. W., & Schvaneveldt, R. W. (1990). Properties of pathfinder networks. In Schvaneveldt, R. W. (Ed.), Pathfinder associative networks: studies in knowledge organization (pp. 1–30). Norwood: Ablex.
Gerber, M., & von Solms, R. (2005). Management of risk in the information age. Computers & Security, 24(1), 16–30.
Henry, K. (2004). Risk management and analysis. In Tipton, H. F., & Krause, M. (Eds.), Information security management handbook (5th ed., pp. 751–758). Boca Raton: Auerbach Publications.
INFOSEC Research Council (IRC) (1999). National scale INFOSEC research hard problems list, draft 21. http://www.infosec-research.org/documents, September 1999.
Kudikyala, U. K. (2003). PFNET comparison tool (correlations.java) (Technical Report). Department of Computer Science, Mississippi State University, Starkville, MS, February 2003.
Kudikyala, U. K. (2003). Requirements categorization tool (Technical Report). Department of Computer Science, Mississippi State University, Starkville, MS, February 2003.
Kudikyala, U. K. (2003). Reducing misunderstanding of software requirements by conceptualization of mental models using Pathfinder networks. PhD thesis, Department of Computer Science, Mississippi State University, Starkville, MS.
Kudikyala, U. K., & Vaughn, R. B. (2004). Understanding software requirements using Pathfinder networks. CrossTalk: The Journal of Defense Software Engineering, 17(5), 16–25.
Kurup, G. (1989). PFNET generation tool (geom_pfn) (Technical Report). Department of Computer Science, Mississippi State University, Starkville, MS, August 1989.
Lin, X., Buzydlowski, J., & White, H. D. (2003). Real-time author co-citation mapping for online searching. Information Processing and Management, 39(5), 689–706.
National Institute of Standards and Technology (2003). Security metrics guide for information technology systems, SP 800-55. Computer Security Division. http://csrc.nist.gov/publications/nistpubs/800-55/sp800-55.pdf, Gaithersburg, MD.
National Institute of Standards and Technology (2004). Standards for security categorization of information systems, FIPS PUB 199. Computer Security Division. http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf, Gaithersburg, MD.
National Institute of Standards and Technology (2006). Minimum security requirements for federal information and information system, FIPS PUB 200. Computer Security Division. http://csrc.nist.gov/publications/fips/fips200/FIPS-PUB-200-final-march.pdf, Gaithersburg, MD.
National Institute of Standards and Technology (2006). Recommended security controls for federal information systems, SP 800-53 Rev. 1. Computer Security Division. http://csrc.nist.gov/publications/nistpubs/800-53-Rev1/800-53-rev1-final-clean-sz.pdf, Gaithersburg, MD.
Ozier, W. (2004). Risk analysis and assessment. In Tipton, H. F., & Krause, M. (Eds.), Information security management handbook (5th ed., pp. 795–820). Boca Raton: Auerbach Publications.
Ross, R., Katzke, S., & Toth, P. (2005). The new FISMA standards and guidelines changing the dynamic of information security for the federal government. In 2005 IEEE military communications conference, Atlantic City, NJ, October 17–21 2005 (Vol. 2, pp. 864–870). New York: IEEE Press.
Rummel, R. J. (1976). Understanding correlation. Department of Political Science, University of Hawaii, Honolulu, HI. http://www.mega.nu/ampp/rummel/uc.htm.
Shimonski, R. J. (2004). Risk assessment and threat identification. TechGenix, Ltd., St. Julians, Malta. http://www.windowsecurity.com/articles/Risk_Assessment_and_Threat_Identification.html, October 2004.
Schvaneveldt, R. W. (1990). Graph theory and pathfinder primer. In Schvaneveldt, R. W. (Ed.), Pathfinder associative networks: studies in knowledge organization (pp. 297–299). Norwood: Ablex.
Schvaneveldt, R. W. (1990). Preface. In Schvaneveldt, R. W. (Ed.), Pathfinder associative networks: studies in knowledge organization (p. ix). Norwood: Ablex.
United States Department of Homeland Security (2007). Cyber security research and development. Broad Agency Announcement BAA07-09. http://www.hsarpabaa.com/Solicitations/BAA07-09_CyberSecurityRD_Posted_05162007.pdf.
United States General Accounting Office (1999). Federal information system controls audit manual (FISCAM), Volume I financial statement audits (GAO/AIMD-12.19.6). http://www.gao.gov/special.pubs/ai12.19.6.pdf.
United States General Accounting Office (1999). Information security risk assessment practices of leading organizations, a supplement to GAO’s May 1998 executive guide on information security management (GAO/AIMD-00-33). http://www.gao.gov/special.pubs/ai00033.pdf.
United States General Accounting Office (2004). Information security: agencies need to implement consistent processes in authorizing systems for operations (Technical Report). Report to Congressional Requesters (GAO-04-376). http://www.gao.gov/cgi-bin/getrpt?GAO-04-376.
United States Office of Management and Budget (OMB) (1996). Security of federal automated information resources, Appendix III to OMB Circular No. A-130. Management of Federal Information Resources. http://www.whitehouse.gov/omb/circulars/a130/a130.html, February 1996.
United States Public Law 107-347-DEC. 17 2002, 116 STAT. 2899 (2002). Federal information security management act (FISMA). Title III of the E-Government Act of 2002. http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_public_laws&docid=f:publ347.107.pdf.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Hulitt, E., Vaughn, R.B. Information system security compliance to FISMA standard: a quantitative measure. Telecommun Syst 45, 139–152 (2010). https://doi.org/10.1007/s11235-009-9248-8
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11235-009-9248-8