Terminology

OpenFISMA uses standardized terms throughout the application to make the interface unambiguous. By defining these terms, users are able to understand what information the application is showing them, and communicate that information to other individuals.

Contents

• Data Terminology
  • Findings
  • Finding Sources
  • Networks
  • Products
  • Roles
  • Organizations
  • Systems
  • Users

Data Terminology

The following forms of data have very specific meanings in OpenFISMA:

Assets

An asset is any unique element of an information system which might be observed in assessing a system's risk posture. This could include, among other things, software services running on a server (such as an HTTP service running on IP address 192.168.1.92:80), documentation (such as an SSP), or personnel.

Findings

A finding is a possible security weakness observed by an auditor and reported through OpenFISMA. The finding is the largest data object in OpenFISMA. It contains information describing the nature of the finding, the auditor's recommendation, the threat level, the countermeasures in place, the information system's risk mitigation strategy, the affected asset, as well as extensive audit history and document archival.

Finding Sources

Finding Sources define possible means of discovering findings. For example, a typical finding source would be "Certification & Accreditation". All C&A findings would be tagged with this label. Subsequently, users would be able to use this tag when searching in order to only search for C&A findings. This information can also be used in report building to answer questions like, "What percentage of findings came from C&A?"

Networks

A network is a logical grouping of assets sharing an address space. OpenFISMA introduces the concept of a network in order to disambiguate two assets on separate, privately addressed networks, which might have the same IP address. By tracking which network each asset is on, OpenFISMA can reliably distinguish between the two assets.

Products

A product is a software application or hardware device which has a name, publisher, and version number. Products can be associated with assets. This association can be used to build reports which answer questions such as, "How many findings affected Oracle 10g servers?"

Roles

OpenFISMA access control is entirely role-based, and these roles are completely customizable. A stock set of roles following NIST guidelines is installed by default, but you can modify them, delete them, and even create new roles to tailor the access control to your organization's exact needs.

Organizations

Organizations are entities which contain systems. An agency can create multiple organizations within OpenFISMA and assign systems to each organization. This information can be used in report building to answer questions like, "What percentage of findings applied to each organization?"

Systems

OpenFISMA tracks an inventory of information systems. Each system is defined by a name and acronym, as well as its Confidentialiy-Integrity-Availabilty (CIA) vector. OpenFISMA also provides fields to optionally document a system and the types of information which it stores. OpenFISMA will calculate the FIPS-199 system impact level automatically for each system.

Users

User accounts can be created through the administration interface. OpenFISMA allows for authentication against an LDAP directory, but also provides a default, built-in database authentication module for organizations that do not use LDAP. Passwords are stored using the NIST-compliant SHA1 hash algorithm.