The Office of Electronic Government was created under the E-Government Act of 2002 to “improve government IT.”22 The office is part of OMB and is devoted to implementing the President’s e-government agenda which includes the E- Government Act (and FISMA), the GPEA, the Clinger-Cohen Act, and others.
Federal CIO Council The Federal CIO Council was established in 1996 by Executive Order 1301123 and written into law under the E-Government Act of 2002. As required by E- Government Act, each federal agency must have a Chief Information Officer. The CIO Council is made up of several departments and agencies and “serves as the principal interagency forum for improving practices in the design, modernization, use, sharing, and performance of Federal Government agency information resources.”24 The Deputy Director of Management at OMB chairs the CIO Council.
Congress The House of Representatives and Senate, of course, introduce, debate, and create federal law. They also evaluate laws for effectiveness, for example, OMB must report on the implementation and status of FISMA across federal agencies.
The Five Commandments
Just as important as C&A itself are the steps before and after C&A. A series of guidelines have been developed by NIST to assist federal agencies through the entire compliance process, not just C&A. These documents outline best practices and identify standards and procedures for security controls.
The practical “Government System Certification: A Guide to Government Mandates” by Christian Enloe25, did an excellent job in addressing the steps involved in C&A as they were written at the time and serves as a good starting point for understanding C&A. However, the guidelines have since been updated and new documents have been released.
T h e p r i m a r y C & A d o c u m e n t s , o n c e f u l l y c o m p l e t e d a n d r e l e a s e d , w i l l c o n s i s t o f 2 6 :
© SANS Institute 2004, Author retains full rights.
Standards for Security Categorization of Federal Information and Information Systems (FIPS Publication 199) Guide for the Security Certification and Accreditation of Federal Information Systems (NIST Special Publication 800-37) 27
22 23 24 25 CIO Magazine - “A More Perfect Union.” http://www.cio.com/archive/030103/union.html CIO Council - http://www.cio.gov/index.cfm?function=councildescription&subsection=aboutthecouncil CIO Council - http://www.cio.gov/index.cfm?function=councildescription&subsection=aboutthecouncil GSEC Practical “Government System Certification: A Guide to Government Security Mandates” by Christian Enloe, December 2002. http://www.giac.org/practical/GSEC/Christian_Enloe_GSEC.pdf NIST SP 800-37 – 2nd Public Draft FIPS PUB 199 - http://csrc.nist.gov/publications/drafts/FIPS-PUB-199-ipd.pdf 26 27
© SANS Institute 2004,
As part of the Information Security Reading Room
6 Author retains full rights.