DHS is Looking to Upgrade Its FISMA Compliance Tools

Ismail Sadiron/Shutterstock.com

The new and improved information assurance system would help officials better understand and manage the department’s sprawling IT infrastructure.

The Homeland Security Department is looking for vendors to enhance the system officials use keep the agency’s sprawling tech infrastructure in line with federal cybersecurity standards.

The agency on Tuesday started seeking information on a platform that would ensure the numerous IT systems used across the agency live up to the Federal Information Security Management Act, the government’s primary cyber regulation. The new and improved information assurance compliance system, or IACS, would be used to develop and maintain security authorizations for all of the department’s “sensitive but unclassified” systems, according to the request for information.

“The improved IACS must help the Department of Homeland Security and its components meet the new challenges of FISMA tracking and reporting,” officials wrote. “The system shall be scalable enough to satisfy new capabilities on system information assurance data, performance metrics and artifacts.”

For years, agencies across government have failed to put in place proper safeguards and procedures to bolster their IT systems against digital attacks. Even the National Security Agency, which houses some of the government’s most sensitive secrets, struggles to uphold the cyber best practices outlined in FISMA. 

Under the law, agencies are required to maintain an updated inventory of the numerous IT systems and applications they operate, which includes descriptions of how each technology connects to other internal and external systems. The improved IACS system would be used in part to assemble that inventory, helping officials better understand and manage the department’s extensive IT infrastructure.

In the RFI, officials listed hundreds of technical and process requirements for the new system, detailing expectations for performance, data management capabilities, privacy standards and user interfaces. And as the department ramps up its Continuous Diagnostics and Mitigation program and other security initiatives in the years ahead, officials said, there may be more requirements to come.

“Although identifying the requirements for a system as complex and nuanced as IACS is overwhelming, this major undertaking is necessary to improving ... services across the department and helping DHS to advance its mission,” they said.

Interested vendors must submit feedback on the requirements by July 31.