IT Management

Compliance Options: Government Work

Raise your hand if you’ve heard this one: “Close enough for government work …”

I first heard it as a kid when my family moved to the Deep South in the ’60s and met people who didn’t hold Yankees, intellectuals, or “the government” in high esteem. When these people made the “close enough” remark, it was usually said with a sneer and a knowing nod that confused us Thomas kids. After all, we weren’t that far from the Space Center, where “the government” was working to put men on the moon. We knew precision mattered greatly in this effort, especially after the afternoon Dad helped illustrate metrics, controls, and compliance.

It was cool. We started with a metric—one-tenth of 1 percent—a fraction that seemed very, very small to us kids. Dad asked us to predict how far off the mark I would be if I threw a grapefruit in a straight line across our yard and my angle was off only by that metric (it was less than an inch—as if I could throw that straight!).

Then he asked us to look past our little yard, down to big Lake Jackson. We hypothesized that we had a government grant to build a grapefruit cannon strong enough to shoot citrus from our yard all the way across the lake to the city pier on the other side. Boy, our eyes got big when we realized that a half of 1 percent error in aim meant the grapefruit would entirely miss the pier and the city beach. And what fun we had thinking of ways to control the flight of a grapefruit over the course of several miles!

I don’t remember the calculations for aiming astronauts at the moon, but I’m pretty sure we concluded they needed much stricter tolerances than a half of 1 percent. Also, we decided they needed to focus on preventive controls during the first part of their journey, so they were aimed in the right direction, and then add controls to make course corrections as needed.

Dad was successful that day in teaching us three points: 1) Science and math concepts can be fun; 2) metrics must be developed in context, and 3) scientists planning to shoot grapefruit across our little yard would specify looser controls than if the goal were the city pier or the moon, but such experiments would all be based on the same scientific principles.

Later, we learned that part of my father’s job at the staterun hospital where he worked was reporting on compliance with various laws, regulations, and mandates. We understood what he meant when he said he had to develop metrics that would satisfy audits from three different government agencies. Do you work for the government? If so, you probably have to balance multiple compliance mandates, just like my Dad did. Even if you don’t work for the federal government, if you store, process or transmit federal information, then you should be aware of the Federal Information Security Management Act (FISMA).

FISMA requires federal agencies, groups that receive federal funds (such as educational institutions and foundations), and contractors doing business with them to protect the confidentiality, integrity, and availability of federal data and systems. They have to develop, document, and implement information security programs; implement controls that meet requirements established by the National Institute of Standards and Technology (NIST); and provide assurance about the effectiveness of these controls.

NIST has published a document that classifies and describes control categories recommended to satisfy FISMA requirements; it also provides guidelines for assessing them. For a list of the control families, go to Z