eral agencies could work together on software development. This collabo-
rative approach allows software to be developed and shared among federal
agencies in a more efficient and cost-effective manner. The establishment
of the consortium allowed ASSERT to become used by other federal agen-
cies, including the Social Security Administration and the General Services
As of September 2005, ASSERT was in the process of
being implemented at the Federal Aviation Administration (an agency of the
U.S. Department of Transportation). In addition, NIST is in the process of
developing an XML schema for NIST FISMA compliance that will facilitate
the collaborative, information sharing model pioneered by SRA.
Driven by the demands of FISMA, information security within the
federal government is a demanding endeavor requiring teamwork, the
sharing of ideas, the application of strong security solutions, and the
evolution of standardized practices, all of which must be cost effective.
By automating the FISMA compliance process, ASSERT has provided
an efficient means for federal agencies to verify their compliance with
government information security regulations.
SRA, SRA International, Inc., NetOwl, and ORIONMagic are registered
trademarks of SRA International, Inc. Blackberry is a registered trade-
mark of Research In Motion. ENERGY STAR is a registered trademark
of the Environmental Protection Agency. All rights reserved.
1. U.S. Securities and Exchange Commission, Form 10-K, Annual
Report for the Year Ended June 30, 2005, SRA International, Inc.
2. Distributive Training Technology Project. Available: http://www.dttp.
Endnotes 153
38190_CH05_FINAL_.qxd 3/25/06 8:42 AM Page 153
154 Case 5 SRA International, Inc.
3. SRA International, Inc., “2004 Annual Report. Available:
4. A brownfield is a property whose expansion, redevelopment, or
reuse may be complicated by the presence of a hazardous substance
or contaminant. The EPA established the Brownfields Program in
1995 to prevent, assess, clean up, and reuse brownfields. There is
considerable information about the EPAs Brownfields Program
available at
5. Superfund is the federal government’s program to clean up the
nations uncontrolled or abandoned hazardous waste sites. It was
established in 1980 with the passage of The Comprehensive Envi-
ronmental Response, Compensation, and Liability Act (CERCLA).
For more information about Superfund and CERCLA, see
6. The ENERGY STAR program is a public/private partnership pro-
gram between the federal government and industry. The program
is designed to help businesses and individuals protect the envi-
ronment through superior energy efficiency. For more informa-
tion, see
7. E-Government Act of 2002 (H.R. 2458/S. 803; Public Law 107-347).
8. Government Accountability Office, GAO-05-552, “Information
Security: Weaknesses Persist at Federal Agencies Despite Progress
Made in Implementing Related Statutory Requirements,July 2005.
9. U.S. Department of Commerce, National Institute of Standards and
Tec hnology, Computer Security Division, FIPS PUB 199,“Standards
for Security Categorization of Federal Information and Informa-
tion Systems, February 2004. Available:
38190_CH05_FINAL_.qxd 3/25/06 8:42 AM Page 154
10. In June 2004, NIST issued Special Publication 800-60, “Guide for
Mapping Types of Information and Information Systems to Security
60/SP800-60V1-final.pdf. NIST Special Publication 800-60 provides
the criteria used to map information and information systems to the
impact levels established in FIPS Publication 199.
11. NIST Special Publication 800-53 is intended to provide interim
guidance to federal agencies until FIPS Publication 200,“Minimum
Security Requirements for Federal Information and Information
Systems, is published in 2006.
12. U.S. Department of Commerce, National Institute of Standards and
Te c hnology, Special Publication 800-53, “Recommended Security
Controls for Federal Information Systems, February 2005. Available:
13. Personal communication with Steve Newburg-Rinn, Director, Civil
Government Information Assurance Solutions, SRA International,
Inc., July 21, 2005.
14. ASSERT is an automated version of NIST Special Publication 800-
26, “Security Self-Assessment Guide for Information Technology
Systems. ASSERT incorporates the security categorizations and
minimum control requirements described in FIPS Publication 199
and NIST Special Publication 800-53, as set forth in NIST Special
Publication 800-26. See also endnote 15.
15. U.S. Department of Commerce, National Institute of Standards and
Te c hnology Special Publication 800-26, “Security Self-Assessment
Guide for Information Technology Systems, November 2001.Avail-
16. Steve Newburg-Rinn, “Promoting & Facilitating IT Security
Compliance, January 8, 2005. Presentation received from Steve
Newburg-Rinn, Director, Civil Government Information Assur-
ance Solutions, SRA International, Inc., July 21, 2005.
Endnotes 155
38190_CH05_FINAL_.qxd 3/25/06 8:42 AM Page 155

Get Information Security: Contemporary Cases now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.