News and Views

Federal Information Systems Security Educators' Association

Issue One of FISSEA Year 2005-2006
April-May 2005



From the Chair


I am beginning to write this while my car is having its brakes checked.
Vehicle servicing and maintenance is important to remain in good condition. For FISSEA, service occurs constantly during Exec Board meetings, our annual Conference, the quarterly newsletters, list serve, and web page.

A lot of things have happened since my last column. We held a very successful conference at a brand new grand location. We elected our new Executive Board. Our newsletter editor has changed. Oh, and I now have new brake pads!

Hydraulic fluid is what keeps the brakes at the correct operating pressure and functioning well. Keeping FISSEA running flawlessly are our NIST liaisons, Peggy Himes and Mark Wilson. These often unseen supporters are truly the backbone of our organization. And, lest we forget, Patrick O'Reilly keeps our website up and running, and Patrice Boulanger and her organization help our conferences to run smooth.

Car brakes have many parts: pads, calipers, rotors, and an assortment of connection and control devices, all designed to keep passengers safe. Our Exec Board is also made up of various pieces which work well together to keep our 18 year old vehicle (known as FISSEA) moving safely forward down the correct path.

Pads wear out over time and need to be replaced. Our new FISSEA-brand pads include: K Rudolph, Susan Hansche, and Jim Litchko.

My calipers just needed to be cleaned and serviced. This is like Barbara Cuffie, who returns as a full term Exec Board member after her year as ex-officio. We are also fortunate to not only bring her back on the Board but also to have her impressive abilities in our Assistant Chair position.

One of my rotors did not need replacing, like our Board members in the second year of their two-year terms. Their experience and the organizational history they carry is essential to the continuation of our association. Mary Ann Strawn, Curt Carver, Gretchen Morris, Will Suchan, Tom Foss, and Jeff Seeman, are FISSEA OE (original equipment).

Another rotor was a little warped, sort of like myself - being reelected both to the Board as well as its Chair.

I always appreciate critiques on my writing and this time one came before publishing. Mark "Bubba" Wilson commented that he "like(d) the maintenance analogy (but) You could take it further with some mention of needing a clean windshield to see where you are going, and working mirrors to see where you have been (as well as) what might be coming up on you." Thanks Mark, you can be on my column's Pit Crew any day. Out our rear view mirror are the faces of Marvella Towns, Lewis Baskerville, and Tanetta Isler, who are waving farewell as we step on the gas. But, remember, things in the mirror "are closer than they appear" - we hope that their support will not flag as it was truly appreciated. The major near term items viewed through FISSEA's windshield are our Strategic Plan and some new and varied free workshops.

Driving away from the service bay, it is getting difficult to type... not! But I have now met Mike the Mechanic as well as held the first new Exec Board's meeting and as FISSEA passengers I suggest you fasten your seat belts because we're in for a wild ride! Oh, give me a brake... I mean break!
Louis Numkin, CISM
Internal Revenue Service

Go to top of page

horizontal bar

NIST Special Publication 800-53

Submitted by Amy Korman, CISSP, ISSMP/AP, CPA
PEC Solutions, Inc.

The following article provides key information regarding NIST Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems. The information herein stems from the document itself, as well as from a conversation with NIST authorities. The purpose of this article is to provide an overview of the new publication, discuss how it will effect Information Assurance professionals, what the major differences are between the new SP 800-53 and older more familiar documents, and provide information surrounding the timeframe and usage of documents going forward.

NIST SP 800-53: What Is It?
SP 800-53 (February 2005) is NIST's latest document that is to be "the primary source of recommended security controls for federal information systems, replacing the security control [framework] described in NIST Special Publications 800-18 (Guide for Developing Security Plans for Information Technology Systems) and 800-26 (Security Self-Assessment Guide for Information Technology Systems). Future versions of SP 800-18 will eliminate the listing of security controls and [will instruct readers to use the controls listed in] SP 800-53."

The recommended baseline security controls contained in SP 800-53 will form the basis for those controls that will become mandatory in December 2005 when SP 800-53 becomes Federal Information Processing Standard (FIPS) 200, Minimum Security Controls for Federal Information Systems. While SP 800-53 is a guideline, FIPS 200 will be mandatory for all systems at civilian federal agencies (as required by FISMA), excluding those designated for national security.

The FISMA Implementation Project web site at has the latest information on FIPS 200. Currently, the schedule has been revised to include issuing the first public drafts of the SP 800-53A and FIPS 200 documents in June and April 2005, respectively.

What Will Change?
Per discussion with NIST authorities, they are currently in the planning stages of the rewrite of SP 800-26, as its self-assessment questionnaire will be updated to align with SP 800-53. The first several sections of the SP 800-26 document will remain the same, however, information about FIPS 199 (Standards for Security Categorization of Federal Information and Information Systems), compensating controls, common controls, SP 800-53 and SP 800-53A (Guide for Assessing the Security Controls in Federal Information Systems) will be added. The SP 800-26 questionnaire will be used solely as a reporting format in the future. The questionnaire will have the seventeen families that are in SP 800-53, with each control title and number listed. The control and the enhancements will not be repeated in SP 800-26; rather, the document will direct the reader to go to SP 800-53A. SP 800-53A will contain the control along with enhancements and the assessment criteria that should be accomplished prior to annotating in SP 800-26 the level that the control has reached. "SP 800-53A provides guidance on assessment methods and procedures for security controls defined in this publication. SP 800-53A can also be used to conduct self-assessments of information systems."

Difference in Old and New Documents
SP 800-53 continues the framework of the SP 800-26 document in that there are seventeen topical control areas divided into Management, Operational, and Technical controls. In the new SP 800-53 document, there are still seventeen control areas, however, they are now referred to in the context of classes and families. Classes represent the type of control, such as Management, Operational, or Technical; family refers to the control area, such as Awareness and Training or Incident Response. Appendix D in SP 800-53 provides a summary of minimum security controls to be implemented based up whether a system is classified as low, moderate, or high-impact.

The seventeen families per the SP 800-53 document are not a direct one-to-one mapping of the seventeen control areas and objectives of the SP 800-26 document. Some control areas are easily mapped on the surface, such as Personnel Security, which goes by the same name in both publications. However, some control areas from the 800-26 do not appear at all in SP 800-53, and the SP 800-53 has some new control objectives (families) that were not referenced in SP 800-26. Some of the new families, such as System and Information Integrity (SP 800-53) are easy to map back to SP 800-26 (Data Integrity); this is just a matter of semantics. The crux of the change is that the original control objectives from the SP 800-26 are scattered amongst multiple families in the SP 800-53, and one control objective may now be mapped to multiple control objectives.

How will this affect you?
Conducting a review based on the new SP 800-53 document will require an exercise in reformatting any existing review templates. Many of the same questions previously asked per the SP 800-26 questionnaire will still apply, however, from a documentation perspective they are no longer within the same category as per the SP 800-26 Questionnaire. For example, Personnel Security questions (controls) that were previously located in Category 6 of SP 800-26 are now located throughout several sections of SP 800-53, such as Access Control and Configuration Management, as well as the Personnel Security category. This will require new documentation to be created in order to effectively conduct the current year review. In addition, this will require additional thought and mapping when attempting to track weaknesses noted in the prior year POAM as an agency can no longer say that a question from a particular SP 800-26 category such as Contingency Planning, was deficient and easily map it to a control objective per the 800-53 to track the progress. The particular weakness could likely be found in Contingency Planning (which kept its name), or it could actually be found within Maintenance or System and Communications Protection.

A more detailed review of SP 800-53's Appendix G reveals a mapping of the SP 800-53 families to the SP 800-26 control objectives. This nicely shows the mapping between the new organization of controls with the old, well-known controls and their layout. Appendix G shows, for example, that the new family, Audit and Accountability, maps to two of the SP 800-26 categories of Audit Trails and Logical Access Controls. It does not easily show that questions (controls) from section 17, Audit Trails, from the SP 800-26 are now contained within the SP 800-53 Maintenance family, as well as within the Access Control and Audit & Accountability families. A reverse mapping to better explain this area is currently being worked on.

It is imperative that awareness training be provided to those groups who were involved in utilizing the SP 800-26 in the past, as the new layout of controls is vastly different. Now that the SP 800-53 will be mandatory as FIPS 200 (the 800-26 was only a suggested guideline) it is important that the controls and the format are understood. Users must be educated as to the new schema of classes and families and how they relate to the SP 800-26 document. Finally, users must be educated as to how to determine the minimum controls for their particular system.

(The author, Amy Korman, CISSP, ISSMP/AP, CPA may be contacted at

Go to top of page

horizontal bar

The Beginnings of FISSEA and Then Some

Submitted by Peggy Himes, NIST

(The "History of FISSEA" was first printed in the January 1999 newsletter. While some newer members may not be aware of FISSEA's beginnings the earlier article is repeated below.)

"The Federal Information Systems Security Educators' Association (FISSEA) is a volunteer organization for federal information systems security professionals, contractors of federal agencies and faculty members of accredited educational institutions. The concept of such an organization originated in 1984 at a meeting held in the Fort Meade Officers' Club. Over the years interest in computer security awareness, training, and education grew.

In 1989, the National Security Telecommunications and Information Systems Security Committee (NSTISSC) Subcommittee on Automated Information Systems Security (SAISS) approved the charter for the "EDUCATORS." NSA's Larry Martin, Harold Segal, and Horace Peele were founding members of the working group. Later, when the group formalized in direct support of the Education, Training and Awareness Working Group of AIS, the Educator's Subgroup became known as the National Computer Security Educators (NCSE). During this time, the organization was under the sponsorship of the National Security Agency.

The enactment of P.L. 100-235 (the Computer Security Act of 1987) was a motivating factor for moving the sponsorship of FISSEA from NSA to NIST as classified and unclassified information was divided between the two agencies. In 1991, the name, National Computer Security Educators (NCSE), was changed to the Federal Information Systems Security Educators' Association (FISSEA). Emphasis was placed on the federal community, but membership and interests also included academic institutions and others interested in computer security education.

To name names, early Executive Board members from 1991-1993 included Jon Arneson, Joan Capel-Pohly, Patricia Ciuffreda, James Colburn, Richard Costello, Barbara Cuffie, Dorothea de Zafra, Joseph Easley, Kathie Everhart, Duane Fagg, Janet Jelen, Delmar Kerr, Charles Kellerman, Ray Letter, Geoffrey Lewis, Vic Maconachy, Victor Marshall, Harold McConnell, Dennis Poindexter, Roger Quane, Gary Smith, Lauresa Stillwell, and Althea Whieldon.

The first NCSE seminar was held in 1989 with the theme Trainer's response to the training requirements of the Computer Security Act of 1987. The NCSE seminars have evolved into an annual FISSEA conference. A complete listing of past conference themes can be found on the FISSEA website.

At the conference each year, an award is presented to a candidate selected as Educator of the Year, honoring distinguished accomplishments in information systems security training programs. The first award, given in 1991, was presented to Gary W. Smith. Other recipients include: Vic Maconachy (1992), Corey Schou (1993), Lt. Col. E. C. Chambers (1994), Gale Warshawsky (1995), and Joan Pohly (1996). The 1997 Educator of the Year was awarded to a group of individuals: Dorothea de Zafria, John Ippolito, Sadie Pitcher, and John Tressler. The 1998 EOY Award will be presented at the March conference. The FISSEA website has information on nominating a candidate for the Educator of the Year award. The deadline for submission is mid-February and the award is given at the annual conference held in March.

Today, FISSEA is growing and thriving. Its program of work remains focused on computer security education, a more vitally important agenda now than in 1984 when FISSEA was conceived. FISSEA's 290 members are encouraged to serve on task groups, to contribute to the newsletter, to network with other members and to foster the goals of FISSEA in their own organizations. Then, we will have more good news to write in the next chapter of FISSEA's history."

Next Chapter:

To bring this article up-to-date since it was originally written in 1999… FISSEA continues to hold annual conferences, now offers free workshops, encourages people to submit articles for the newsletter, maintains a website and a list serve for members to communicate with each other. In 1999, there were 290 members. Today, there are 1,140. However, the list serve has less than half the members in it, if you would like your email address included, please send an email to You can view complete guidance on the website under On-Line Email List Rules and Guidance.

The Educator of the Year award was presented to Louis Numkin (1998), Dr. Roger Quane (1999), George Bieber (2000), LTC Daniel Ragsdale (2001), Patricia Black (2002), and Jeff Recor (2003). Most recently, congratulations go to Dr. Gail-Joon Ahn, University of North Carolina, who was presented with the 2004 Educator of the Year Award at this year's conference.

In the last two years, a contest has been held for the best Website, Trinket, and Poster Contest. Marvella Towns coordinated this popular contest and announced the winners at the annual conference. The winning entries are shown on the website. In 2004, Diane Coleman, IRS, won the trinket portion; Melissa Guenther, University of Arizona won for the poster, and Capt. Cheryl Seaman, HHS, won the website portion.

The 2005 FISSEA Poster, Trinket, and Website Contest winning entries were presented to:
        Poster - Vicky Hansen, A.G. Edwards & Sons
        Trinket - K Rudolph, Native Intelligence Inc.
        Website - Crystal Lowe, Internal Revenue Service

FISSEA conferences are relatively small in attendance but the networking opportunities are giant-sized. The computer security professional can discover new ways to improve their security program as the program focuses on awareness, training, and education. For the past few years, LTC Curt Carver and LTC Will Suchan have done an awesome job on the program and have agreed to do it again for 2006. Please check the website for an announcement on next year's date and the Call for Presentations.

The newsletter will have new editors for future issues. Volunteers were asked to take over this role at the March conference and Nanette Poulios, Walsh College; Shon Harris, Logical Security, and Diane Maier, RS Information Systems came forward. Please continue to submit articles to either or until further instructions are given.

You are encouraged to bookmark the FISSEA website, and check it often. The website and list serve will be used to announce future workshops. You may find the summaries from past workshops presented by Susan Hansche and Mark Wilson helpful.

Individuals that have contributed greatly to FISSEA's evolvement are Phil Sibert (retired from DOE), Barbara Cuffie (retired from SSA), Louis Numkin (now with IRS), and Mark Wilson (NIST). FISSEA continues to be a great networking opportunity for members and continues its purpose to assist federal agencies in meeting their computer security training responsibilities.

Go to top of page

horizontal bar

FISSEA Executive Board:

FISSEA Executive Board 2005-2006

Louis Numkin, CISM, Board Chair**
LTC Curt Carver, Jr., Conference Director**
Barbara Cuffie, CISSP, Assistant Chair**
Thomas Foss*
Susan Hansche, CISSP-ISSEP**
James Litchko**
Gretchen Ann Morris, CISSP*
K Rudolph, CISSP**
Jeffrey Seeman*
Mary Ann Strawn, Publicity*
LTC Will Suchan, CISSP, Conference Director*
NIST Contacts (Not Elected):
Mark Wilson, CISSP, NIST Liaison
Peggy Himes, Executive Assistant to Bd
Patrick O'Reilly, Website

* Term ends March 2006
** Term ends March 2007


Go to top of page

horizontal bar


This column's name is a contraction of the words "Training" and "Trivia." It includes information on upcoming conferences, book reviews, and even humor. The purpose is to provide readers with places to go and things to use in pursuing and/or providing Computer Security awareness, training, and education. However, FISSEA does not warrant nor determine the value of any inclusions. Readers are encouraged to do their own checking before utilizing any of this data. If readers have items to submit to this column, please forward them to and/or


MAY 17-19, 2005, Risk Assessment and Management for Security Professionals at the University of Maryland University College in College Park, MD. This is the first of a new series of seminars developed and presented in conjunction with the University of Maryland University College (UMUC) by the U.S. Professional Development Institute (USPDI). The seminar is taught by Prof. Randall Nichols, author of Defending Your Digital Assets and Wireless Security. Prof. Nichols has been nominated for the Stanley J. Drazek Teaching Excellence Award.

Content focuses on: identifying and critically assessing issues and concepts related to the protection of information and information systems; using risk management principles to assess threats, vulnerabilities, countermeasures; performing a risk analysis; and creating a management plan for security. The final exercise is completing a theoretical and practical risk assessment and management scenario where students apply what they have learned to dealing with a credible terrorist threat.

For more information, visit or call Jeff Erlichman at 301-891-1880. To register call 1-866-99USPDI (1-866-988-7734).


MAY 17-19, 2005, AFCEA TechNet International 2005, New DC Convention Center - 801 Mount Vernon Place, NW Washington, DC 20001, Phone: 800.368.9000, Web Site for info:
Plenary Session with Rudy Giuliani, former Mayor of New York City, Wednesday, 18MAY2005 from 9 to 10am, and a "Tribute to Government Gala" from 5 to 8pm on Tuesday, 17MAY2005, which is FREE to all registered attendees and exhibitors and includes a Buffet Dinner on the Exhibit Floor and boot-stomping concert with The Charlie Daniels Band! YeeHaw


MAY 25-26, 2005, Government IT Security Summit presented by The Performance Institute at the Performance Institute Conference Center in Arlington, VA. Featuring comprehensive coverage of the latest IT security mandates. Acquire new methodologies to raise your FISMA score. Implement a verifiable stream-lined and cost-efficient C&A process. Evaluate, navigate, and mitigate security risk. Integrate IT security with budget justifications to secure IT funding. Align IT security to the Federal enterprise architecture to achieve mission goals. Acquire the latest updates on NIST and DITSCAP requirements. Register by calling 703-894-0481 or visit for complete details. A 50% discount pass for use by FISSEA members has been authorized if you email Louis Numkin at


JUNE 1-2, 2005, Computer Security Institute (CSI) course. John O'Leary is presenting a "How to Create and Sustain a Quality Security Awareness Program" session in Montreal, Canada. The website which also includes links to other courses, their FBI study, and their 2005 Training Catalog, is at:
Also, CSI has put out a Call for Papers to be presented at the CSI 32nd Annual Conference in Washington, DC, on 14-18NOV2005. Info on this is available at:


JUNE 7-8, 2005 MISTI Forum. One of local interest is "The Forum on Information Security in Government" on 7-8JUN2005, in Washington, DC. Their general info web site is


JUNE 22-23, 2005, 5th Annual Kansas City Security Symposium. The Kansas City Security Coalition (KCSC), founded in 2000, is an organization run by and for Federal security professionals. KCSC brings together Federal government organizations for the purpose of elevating the general knowledge of the security community on systems security, fraud detection, physical security, and to promote security awareness in member organizations. The 5th Annual Security Symposium will be held at the Hartman Conference Center at Hilton Garden Inn, Independence, MO. Website: For further information, contact Dorothy Reed, Center for Security and Integrity, (816) 936-5559.


JULY 27-28, 2005, Black Hat Briefings USA 2005 at Las Vegas, Caesars Palace. Visit for track descriptions, training schedule and complete details. "The Black Hat Briefings was created to fill the need for computer security professionals to better understand the security risks to information infrastructures and computer systems. Black Hat accomplishes this by assembling a group of vendor-neutral security professionals and having them speak candidly about the problems businesses face and the solutions to those problems. No gimmicks- just straight talk by people who make it their business to know the information security space." If you are interested in registering 6 or more persons, please contact ping at Early Bird Registration rates will close May 15, 2005. Regular Registration rates will close July 1, 2005. Late Registration rates will close July 22, 2005. Onsite Registration rates will apply July 23-28, 2005.


November 30 - Computer Security Day. Readers can get a free poster by writing to ACSD; PO Box 39110; Wash, DC 20016. Website is


DECEMBER 5-9, 2005, Annual Computer Security Applications Conference (ACSAC), Tucson, Arizona, There are now four weeks left to submit papers in the technical track to ACSAC 2005. Please note the dates below and submit your papers!

Important dates:
May 29, 2005     Technical program: paper submission deadline
August 14, 2005     Paper acceptance decisions communicated to authors
Online paper submission system:
Call for papers and detailed submission instructions:,

We look forward to receiving your submissions! Christoph Schuba, Pierangela Samarati, Charlie Payne, 2005 ACSAC program chairs, ACSAC is sponsored by Applied Computer Security Associates, a not-for-profit all-volunteer Maryland corporation. Our postal address is 2906 Covington Road, Silver Spring, MD 20910-1206.


FISSEA member, William Uttenweiler, made the offer: The California Central Coast security groups have released another dozen new free downloadable security awareness/motivation posters as of May 1, 2005. This brings the total to 149 different designs! Point your browser to You are welcome to download the posters and use them in your security awareness/motivation program. However, you may NOT modify them without permission.


Back arrow Back to FISSEA Homepage back arrow Back to Newsletter Index back arrow Back to CSRC Homepage

Please send comments or suggestions to
Last Modified: May 4, 2005.