NASA engineers develop FISMA compliance tool
NASA engineers are good at developing complex space exploration systems, but they were frustrated by the demanding FISMA compliance and reporting requirements; so they developed an automated tool to take care of it
On his retirement, Werner Von Braun, the German rocket scientist who was brought to the United States to work on the Apollo program, reflected on his four decades of working for the U.S. government, and said: “We can lick gravity; it is the paperwork that overwhelms us.” NASA’s Marshall Space Flight Center employees may work on developing important space transportation technologies, but they could not get their Federal Information Security Management Act (FISMA) reporting off the ground. GCN’s Trudy Walsh reports that Bob Keasling, a project manager at the Huntsville, Alabama, center, described the agency’s FISMA reporting as “spreadsheet chaos.” FISMA requires each agency to track metrics on different functional areas of information technology security. Keasling and a team at Marshall developed the Information Technology Security Center (ITSC), an application aiming to automate FISMA reporting. The application is designed to integrate the data and processes needed to manage an IT security program that complies with NIST security guidance as outlined by the FISMA framework.
When users log on to the Web browser-based ITSC, the first thing they see is the FISMA summary score card for their NASA center. For each functional area, the score card shows how many things need to be completed and how many are complete. Users can drill down to individual organizations within Marshall. ITSC is based on a strong data foundation, and with ITSC, much of this data entry is automated so users can focus on analysis. ITSC maintains an inventory of systems and gives IT employees the ability to generate NIST-based certification and accreditation packages, one of the requirements of FISMA. The integration of personnel, equipment, network, and application data; training records; certifications; configurations; vulnerabilities, and NIST-supplied security controls helps expedite the process of generating a C&A package. The ITSC application also provides a change management feature that helps employees meet NIST’s continuous-monitoring phase of C&A, and it
provides for data inheritance that allows common controls to be shared at the agency, site, and master-plan levels. Now, about 600 IT professionals use ITSC throughout NASA. “We’ve had many favorable responses from our IT peers,” Keasling said. “They see where we’re headed and are optimistic and encouraging.”
