Information system security compliance to FISMA standard: a quantitative measure

To ensure that safeguards are implemented to protect against a majority of known threats, industry leaders are requiring information processing systems to comply with security standards. The National Institute of Standards and Technology Federal Information Risk Management Framework (RMF) and the associated suite of guidance documents describe the minimum security requirements (controls) for non-national-security federal information systems mandated by the Federal Information Security Management Act (FISMA), enacted into law on December 17, 2002, as Title III of the E-Government Act of 2002. The subjective compliance assessment approach described in the RMF guidance, though thorough and repeatable, lacks the clarity of a standard quantitative metric to describe for an information system the level of compliance with the FISMA-required standard. Given subjective RMF assessment data, this article suggests the use of Pathfinder networks to generate a quantitative metric suitable to measure, manage, and track the status of information system compliance with FISMA.

[1]  Ronald L. Rivest,et al.  Introduction to Algorithms , 1990 .

[2]  Chaomei Chen,et al.  Bridging the Gap: The Use of Pathfinder Networks in Visual Navigation , 1998, J. Vis. Lang. Comput..

[3]  Rayford B. Vaughn,et al.  Reducing misunderstanding of software requirements by conceptualization of mental models using pathfinder networks , 2004 .

[4]  D. W. Dearholt,et al.  Properties of pathfinder networks , 1990 .

[5]  Rayford B. Vaughn,et al.  Understanding Software Requirements Using Pathfinder Networks , 2004 .

[6]  Roger W. Schvaneveldt,et al.  Pathfinder associative networks: studies in knowledge organization , 1990 .

[7]  Kevin Henry Risk Management and Analysis , 2011, Encyclopedia of Information Assurance.

[8]  Marianne M. Swanson,et al.  Recommended Security Controls for Federal Information Systems , 2005 .

[9]  Thomas H. Cormen,et al.  Introduction to algorithms [2nd ed.] , 2001 .

[10]  L. Johnson,et al.  Minimum Security Requirements for Federal Information and Information Systems , 2006 .

[11]  R. Ross,et al.  The new FISMA standards and guidelines changing the dynamic of information security for the federal government , 2004, MILCOM 2005 - 2005 IEEE Military Communications Conference.

[12]  Jan W. Buzydlowski,et al.  Real-time author co-citation mapping for online searching , 2003, Inf. Process. Manag..

[13]  Rossouw von Solms,et al.  Management of risk in the information age , 2005, Comput. Secur..

[14]  Will Ozier,et al.  Risk Analysis and Assessment , 2000 .

[15]  Matt Bishop,et al.  Computer Security: Art and Science , 2002 .