FISMA Law vs Home Email Server

Working for a federal agency that has IT functions regulated by public law and running an email server from home to use for agency business seems problematic, but it may be possible. Here are some of the laws and regulations that come into play:

  • FISMA – PUBLIC LAW 107–347, DEC. 17 2002 is known as the “E-Government
    Act of 2002”. The section, “TITLE III-INFORMATION SECURITY” is known as the “Federal Information Security Management Act of 2002”, or FISMA for short.

    Title III of the E-Government Act, entitled the Federal Information Security Management Act (FISMA) requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
    NIST FISMA DETAILED OVERVIEW

    Also:

    FISMA, along with the Paperwork Reduction Act of 1995 and the Information Technology Management Reform Act of 1996 (Clinger-Cohen Act), explicitly emphasizes a risk-based policy for cost-effective security. In support of and reinforcing this legislation, the Office of Management and Budget (OMB) through Circular A-130, Appendix III, Security of Federal Automated Information Resources, requires executive agencies within the federal government to:

    • Plan for security
    • Ensure that appropriate officials are assigned security responsibility
    • Periodically review the security controls in their information systems
    • Authorize system processing prior to operations and, periodically, thereafter

    NIST FISMA DETAILED OVERVIEW

    Note that these requirements apply to BOTH information AND information systems, and to BOTH operations AND assets, and to those provided or managed by OTHER SOURCES.

  • FISMA also grants NIST authority to issue information security guidance to federal agencies. NIST publishes Federal Information Processing Standards (FIPS), which are compulsory and binding for federal agencies. FISMA requires that federal agencies comply with these standards, and therefore, agencies may not waive their use.

  • FIPS 200 “Minimum Security Requirements for Federal Information and Information Systems” is a mandatory standard developed by NIST under the authority granted to it by FISMA. This standard establishes minimum security requirements for federal information systems, requires federal agencies to select the appropriate baseline of security controls from 800-53 to be applied to the system, and mandates the use of Special Publication 800-53.
  • NIST also publishes a series of Special Publications (SP) guidance documents, including the SP 800 series.

  • NIST SP 800-53 – This contains the list of security controls that must be considered to protect federal information systems and more information on how to apply and use them.
  • NIST SP 800-37 – This contains a description of the process used to assess and authorize federal information systems.

FISMA LEGAL ISSUES WITH HOME BASED EMAIL SERVER
Let’s take a look at some of the conditions and requirements involved with setting up a home based email server to handle federal agency email. First, it would seem there are two basic variations:

  1. Declare the home based email server to be part of the agency information system and “inside” the authorization boundary. This case would require the email server to be included in the system component inventory of the agency, and to follow all security control requirements of the agency, and to be included in the assessment (testing) and authorization process.
  2. Declare the home based email server to be outside the agency authorization boundary and an information system by itself – that handles agency email information and assets. The requirements are similar to the above case in that the email server would need to follow security controls and go through an assessment and authorization process, but the set of security controls used might be different. As required by FIPS 200, once an IMPACT level has been selected based on the potential for loss of confidentiality, integrity, and availability of agency information and assets, the associated baseline of security controls from 800-53 would provide a starting point and the controls could be tailored to specifics of the actual operating environment.

HOME BASED ISSUES
Inside a federal agency environment, the physical and environmental security requirements are often taken for granted because the entire facility has such protections that are also used by the information systems that are in the facility. But in a home environment, these controls would need to be added to the home. This includes areas like: controlling physical access to the facility with locks, keys, combinations and/or card readers, maintaining physical access logs, escorting and monitoring visitors, protection of power equipment, emergency power supplies and lighting, fire protection, temperature and humidity controls, and more. SP 800-46 “Guide to Enterprise Telework and Remote Access Security” stresses the need to compensate for the lack of physical security controls in an employees’ home.

Besides just the physical and environmental controls, there are hundreds more that would be provided by an agency facility but might not be present in a home. Some of these controls could be accomplished using agency resources, such as: background checks and clearances for personnel who work in the server environment, either as admins or doing maintenance. Access control, awareness and training, identification and authentication, planning, systems and services acquisitions, and more families of security controls contain controls that might be leveraged from the agency. Many other control families like: audit and accountability, assessment and authorization, configuration management, maintenance, media protection, and more, have controls that would be primarily focused on the home server environment and discrete from the agency facility operating environment. And some controls could be crafted with a hybrid purpose, inheriting some of the agency infrastructure but still tailored to the specific home environment.

But in any case, however the controls are crafted, everything in this process must be thoroughly examined and well documented. With a server operating inside the authorization boundary of an agency, these processes are all in place and being used for all the systems and components across the agency. For a home based email server, many of them would be specifically different and both the processes and documentation would need to created.

Starting from scratch, the home based server that is considered to be an independent system would need a System Security Plan (SSP) to be developed, including inventory, contingency plan, risk assessment, configuration management plan, incident response plan, assessment and authorization documentation and more.

Considering the burden and effort level required to accomplish all this, it seems highly unlikely that any individual would take on the job (it would take a team of security specialists), or that the use of agency resources could be easily justified. The CIO of the agency would have to be involved in the decision process, because either way, they end up being responsible for a signature on the “Authorization To Operate” (ATO) that accepts the risk involved. It also seems doubtful that any CIO worth their salt would easily approve a home based email server unless there were some dire need. Any CIO involved in signing an Authorization To Operate (ATO) for the use of a home based email server would certainly need carefully detailed documentation to justify accepting the risk of their position.

Comments are closed.