Actions

Difference between revisions of "Federal Information Security Management Act (FISMA)"
Line 1: Line 1:
 +
== Defining Federal Information Security Management Act (FISMA) ==
 
'''The Federation Information Security Modernization Act (FISMA)''' was established in 2002 as part of the Electronic Government Act and remains one of the most important legislations in data security. The act officially recognizes the importance of an effective IT security infrastructure in the national and financial security of the United States of America.  Through FISMA, federal agencies are obliged to create and implement programs that safeguard information security through managing the CIA triad of confidentiality, integrity, and availability within agency data. The law requires FISMA to be observed by all members of federal agencies as well as contractors and any other person who is involved in governmental data operations. This clause includes any private company in a contractual collaboration with the federal government. Federal agencies such as the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) are part of an ongoing collaboration, which serves to frequently discuss and update the guidelines of FISMA that create the most effective information security and risk management programs and practices. FISMA essentially ensures that confidential data and information remains protected across all electronic government portals, platforms and processes.<ref>What is the Federal Information Security Management Act (FISMA) [https://www.forcepoint.com/cyber-edu/fisma ForcePoint]</ref>
 
'''The Federation Information Security Modernization Act (FISMA)''' was established in 2002 as part of the Electronic Government Act and remains one of the most important legislations in data security. The act officially recognizes the importance of an effective IT security infrastructure in the national and financial security of the United States of America.  Through FISMA, federal agencies are obliged to create and implement programs that safeguard information security through managing the CIA triad of confidentiality, integrity, and availability within agency data. The law requires FISMA to be observed by all members of federal agencies as well as contractors and any other person who is involved in governmental data operations. This clause includes any private company in a contractual collaboration with the federal government. Federal agencies such as the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) are part of an ongoing collaboration, which serves to frequently discuss and update the guidelines of FISMA that create the most effective information security and risk management programs and practices. FISMA essentially ensures that confidential data and information remains protected across all electronic government portals, platforms and processes.<ref>What is the Federal Information Security Management Act (FISMA) [https://www.forcepoint.com/cyber-edu/fisma ForcePoint]</ref>
  
Line 7: Line 8:
 
*Authorize system processing prior to operations and, periodically, thereafter
 
*Authorize system processing prior to operations and, periodically, thereafter
 
These management responsibilities presume that responsible agency officials understand the risks and other factors that could adversely affect their missions. Moreover, these officials must understand the current status of their security programs and the security controls planned or in place to protect their information and systems in order to make informed judgments and investments that appropriately mitigate risk to an acceptable level. The ultimate objective is to conduct the day-to-day operations of the agency and to accomplish the agency's stated missions with adequate security, or security commensurate with risk, including the magnitude of harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information.<ref>What is the Federal Information Security Modernization Act of 2014 [https://csrc.nist.gov/projects/risk-management/detailed-overview NIST]</ref>
 
These management responsibilities presume that responsible agency officials understand the risks and other factors that could adversely affect their missions. Moreover, these officials must understand the current status of their security programs and the security controls planned or in place to protect their information and systems in order to make informed judgments and investments that appropriately mitigate risk to an acceptable level. The ultimate objective is to conduct the day-to-day operations of the agency and to accomplish the agency's stated missions with adequate security, or security commensurate with risk, including the magnitude of harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information.<ref>What is the Federal Information Security Modernization Act of 2014 [https://csrc.nist.gov/projects/risk-management/detailed-overview NIST]</ref>
 +
 +
 +
__TOC__
  
  
Line 21: Line 25:
 
[[File:FISMA_Requirements.png|400px|FISMA Requirements]]<br />
 
[[File:FISMA_Requirements.png|400px|FISMA Requirements]]<br />
 
source: Varonis
 
source: Varonis
 +
  
 
== Who Needs to Follow FISMA Compliance<ref>Who Needs to Follow FISMA Compliance? [https://www.varonis.com/blog/fisma-compliance/ Varonis]</ref> ==
 
== Who Needs to Follow FISMA Compliance<ref>Who Needs to Follow FISMA Compliance? [https://www.varonis.com/blog/fisma-compliance/ Varonis]</ref> ==

Revision as of 18:05, 18 May 2020

Defining Federal Information Security Management Act (FISMA)

The Federation Information Security Modernization Act (FISMA) was established in 2002 as part of the Electronic Government Act and remains one of the most important legislations in data security. The act officially recognizes the importance of an effective IT security infrastructure in the national and financial security of the United States of America. Through FISMA, federal agencies are obliged to create and implement programs that safeguard information security through managing the CIA triad of confidentiality, integrity, and availability within agency data. The law requires FISMA to be observed by all members of federal agencies as well as contractors and any other person who is involved in governmental data operations. This clause includes any private company in a contractual collaboration with the federal government. Federal agencies such as the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) are part of an ongoing collaboration, which serves to frequently discuss and update the guidelines of FISMA that create the most effective information security and risk management programs and practices. FISMA essentially ensures that confidential data and information remains protected across all electronic government portals, platforms and processes.[1]

The Federal Information Security Modernization Act of 2014 amends the Federal Information Security Management Act of 2002 (FISMA) provides several modifications that modernize Federal security practices to address evolving security concerns. These changes result in less overall reporting, strengthens the use of continuous monitoring in systems, increased focus on the agencies for compliance, and reporting that is more focused on the issues caused by security incidents. FISMA, along with the Paperwork Reduction Act of 1995 and the Information Technology Management Reform Act of 1996 (Clinger-Cohen Act), explicitly emphasizes a risk-based policy for cost-effective security. In support of and reinforcing this legislation, the Office of Management and Budget (OMB) through Circular A-130, “Managing Federal Information as a Strategic Resource,”1 requires executive agencies within the federal government to:

  • Plan for security
  • Ensure that appropriate officials are assigned security responsibility
  • Periodically review the security controls in their systems
  • Authorize system processing prior to operations and, periodically, thereafter

These management responsibilities presume that responsible agency officials understand the risks and other factors that could adversely affect their missions. Moreover, these officials must understand the current status of their security programs and the security controls planned or in place to protect their information and systems in order to make informed judgments and investments that appropriately mitigate risk to an acceptable level. The ultimate objective is to conduct the day-to-day operations of the agency and to accomplish the agency's stated missions with adequate security, or security commensurate with risk, including the magnitude of harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information.[2]



FISMA Requirements[3]

The top FISMA requirements include:

  • Information System Inventory: Every federal agency or contractor working with the government must keep an inventory of all the information systems utilized within the organization. In addition, the organization must identify the integrations between these information systems and other systems within their network.
  • Risk Categorization: Organizations must categorize their information and information systems in order of risk to ensure that sensitive information and the systems that use it are given the highest level of security. FIPS 199 “Standards for Security Categorization of Federal Information and Information Systems” defines a range of risk levels within which organizations can place their various information systems.
  • System Security Plan: FISMA requires agencies to create a security plan which is regularly maintained and kept up to date. The plan should cover things like the security controls implemented within the organization, security policies, and a timetable for the introduction of further controls.
  • Security Controls: NIST SP 800-53 outlines an extensive catalog of suggested security controls for FISMA compliance. FISMA does not require an agency to implement every single control; instead, they are instructed to implement the controls that are relevant to their organization and systems. Once the appropriate controls are selected and the security requirements have been satisfied, the organizations must document the selected controls in their system security plan.
  • Risk Assessments: Risk assessments are a key element of FISMA’s information security requirements. NIST SP 800-30 offers some guidance on how agencies should conduct risk assessments. According to the NIST guidelines, risk assessments should be three-tiered to identify security risks at the organizational level, the business process level, and the information system level.
  • Certification and Accreditation: FISMA requires program officials and agency heads to conduct annual security reviews to ensure risks are kept to a minimum level. Agencies can achieve FISMA Certification and Accreditation (C&A) through a four-phased process which includes initiation and planning, certification, accreditation, and continuous monitoring.


FISMA Requirements
source: Varonis


Who Needs to Follow FISMA Compliance[4]

Originally, FISMA only applied to federal agencies. Over time, the law has evolved to cover state agencies that manage federal programs (i.e., Medicare, Medicaid, unemployment insurance, etc.) as well as companies with contracts to work with federal agencies. That means private sector companies that do business with federal agencies must adhere to the same information security guidelines as the federal agency.


See Also


References

  1. What is the Federal Information Security Management Act (FISMA) ForcePoint
  2. What is the Federal Information Security Modernization Act of 2014 NIST
  3. What are the top FISMA Requirements Digital Guardian
  4. Who Needs to Follow FISMA Compliance? Varonis
Retrieved from "https://cio-wiki.org//index.php?title=Federal_Information_Security_Management_Act_(FISMA)&oldid=5843"