Federal Information Security Management Act

The Federal Information Security Management Act of 2002 (FISMA) is contained within the E-Government Act of 2002, Public Law 107-347, as Title III. This act grants the importance of sound information security practices. It also controls the interest of national security and the economic well-being of the United States. This act was amended in 2014 by the Federal Information Security Modernization Act of 2014, which provides several key changes.

The purpose of FISMA is to do the following:

• Provide a framework for effective information security resources that support federal operations, data, and infrastructure

• Accept the interconnectedness of IT. Ensure effective risk management is in place

• Ensure coordination of information security efforts between civilian, national security, and law enforcement communities

• Facilitate the development and ongoing monitoring of required minimum controls to protect federal information systems and data

• Provide for increased oversight of federal agency information security programs

• Recognize that information technology solutions may be acquired from commercial organizations but leave the acquisition decisions to the individual agencies

FISMA tasked the National Institute of Standards and Technology (NIST) to develop and set standards and guidelines. These apply to federal information systems. Standards help categorize information and the systems. They are developed using a risk-based approach. They include the minimum information security controls. For example, standards include the management, operational, and technical controls to apply to information systems.

NIST publications outline a complete set of security standards and processes. To be compliant, your policies must include key security control requirements. Regardless of the publication, often these requirements include the following:

• Inventory—The standards require an inventory of hardware, software, and information. The inventory identifies the type of information handled, interfaces to the systems, and special attention to national security systems.

• Categorize risk level—The publication outlines an approach to classify risk. It outlines how to map risk levels to computer systems and information. The risk drives what security to be applied.

• Security controls—The publication outlines what controls should be applied and when. It outlines how these controls are documented and approved. It is a risked-based approach giving some flexibility to the agency to tailor controls to meet their operational needs.

• Risk assessment—The standard defines and outlines the process to conduct risk assessments. Risk assessments are an essential part of a risk-based security approach. The risk assessment results drive the type of security controls to be applied.

• System security plan—The standards require a formal security plan for major systems and for the agency as a whole. The security plan serves as a roadmap. It is updated to keep current with threats and is an important part of the certification and accreditation process.

• Certification and accreditation (C&A) —This process occurs after the system is documented, controls tested, and risk assessment completed. It is required before going live with a major system. Once a system is certified and accredited, responsibility shifts to the agency to operate the system. This process is also referred to as the “security certification” process.

• Continuous monitoring—All certified and accredited systems must be continuously monitored. Monitoring includes looking at new threats, changes to the system, and how well the controls are working. Sometimes a system has so many changes that it must be recertified.

In support of FISMA, NIST developed the following publications:

• Federal Information Processing Standard (FIPS) Publication 199, “Standards for Security Categorization of Federal Information and Information Systems”

• FIPS Publication 200, “Minimum Security Requirements for Federal Information and Information Systems”

• NIST Special Publication 800-18, “Guide for Developing Security Plans for Federal Information Systems”

• NIST Special Publication 800-30, “Risk Management Guide for Information Technology Systems”

• NIST Special Publication 800-37, “Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach”

• NIST Special Publication 800-39, “Managing Information Security Risk: Organization, Mission, and Information System View”

• NIST Special Publication 800-53, “Recommended Security Controls for Federal Information Systems”

• NIST Special Publication 800-53A, “Guide for Assessing the Security Controls in Federal Information Systems”

• NIST Special Publication 800-59, “Guideline for Identifying an Information System as a National Security System”

• NIST Special Publication 800-60, “Guide for Mapping Types of Information and Information Systems to Security Categories”

To comply with FISMA, the appointed inspector general of the agency performs a separate, annual evaluation. The evaluation first tests the value of the IT security policies, procedures, and practices. A subset of the information systems within the particular agency is tested. If no inspector general exists, an independent external auditor performs it. The external auditor submits the results to the Office of Management and Budget (OMB). The OMB is a cabinet-level office within the Executive Office of the President of the United States with oversight responsibilities. The OMB compiles the data from each agency. The OMB then prepares an annual report to Congress on compliance with the act.

At first, it appears only federal agencies need to worry about compliance, but this is not true. Federal agencies, for example, must care about their own systems as well as the systems of other contractors or organizations supporting the agencies. Any company or organization that expects to conduct business with the federal government needs to concern itself with FISMA.

The changes signed into law in 2014 authorize the Secretary of the Department of Homeland Security (DHS) to assist the OMB. In addition, the changes affect reporting and notification requirements. Agencies are required to provide timely notification of major security incidents to the OMB. Agencies also are required to provide much more specific information related to threats and compliance.