Sarbanes-Oxley was one of the biggest things to hit information security in the past decade. In fact, four years after its enactment, we're still seeing new articles, seminars and products targeting SOX. But there was another law passed right after SOX that also impacts information security practitioners, but has received a much smaller portion of the legislative limelight: FISMA.
What is FISMA?
The Federal Information Security Management Act of 2002 (FISMA), consists of Title III of the E-Government Act of 2002 (U.S. Public Law 104-347) enacted into law at the close of 2002. FISMA outlines a mandate for improving the information security framework of federal agencies, contractors and other entities that handle federal data (i.e., state and local governments). FISMA consists of a set of directives governing what security responsibilities federal entities have, and it outlines oversight and management roles to the implementation of those directives.
FISMA sets aside a number of specific tasks targeted to particular audiences:
- Agencies -- Federal agencies have the largest responsibility under FISMA. They're required to establish an integrated, risk-based information security program that adheres to high-level requirements governing how information security is conducted within their agency. For example, agencies are required to assess the current level of risk associated with their information and information systems, define controls to protect those systems, implement policies and procedures to cost-effectively reduce risk, periodically test and evaluate those controls, train personnel on information security policies and procedures, and manage incidents.
- National Institute of Standards and Technology (NIST) -- NIST bears the responsibility for setting centralized standards and guidance to which agencies must adhere. These include the definition and categorization of risk levels and setting minimum standards for safeguarding assets according to risk level.
- Office of Management and Budget (OMB) -- The OMB bears the responsibility for oversight of FISMA. It defines a standardized reporting methodology whereby compliance status is analyzed alongside the results of independent testing activities conducted by the agency's Inspector General to produce a high-level compliance score. The OMB then, on an annual basis, submits a high-level report to congress consisting of high-level "grades" (A through F) for the agencies.
FISMA compliance to date
So far, the annual "report cards" produced by the OMB haven't exactly been "Honor Roll" material. But they have shown a pattern of steady, gradual improvement; the 2004 and 2005 agency-wide average grade held steady at a D+ (up from a D in 2003.) While these marks sound poor, it is important to recognize that looking at the letter grade alone can be deceptive. For example, since the paperwork involved in FISMA compliance is significant (particularly in the area of compliance assessment), agencies that prioritize information security technical improvements over completing the necessary forms may actually score lower than agencies with reversed priorities.
Private-sector FISMA awareness
Despite the fact that FISMA compliance is only mandatory for organizations that handle federal data, it can be useful for private-sector security practitioners to maintain an awareness of ongoing FISMA compliance activities as well. Since the majority of the supporting documentation produced within the federal sector is extremely thorough and freely available, these documents can prove useful to security professionals outside of the federal realm. NIST, for example, has produced an extensive library of material related to security program initiation, minimum security controls and assignment of risk, which can be leveraged by private-sector practitioners involved in assessment, authoring security policy or technical security control selection. NIST's most comprehensive documents, Special Publication (SP) 800-53 "Recommended Security Controls for Federal Information Systems" and SP 800-53A (both currently in the review process), provide a detailed catalogue of security controls indexed by risk level as well as extremely thorough practical guidelines for assessment of those security controls once implemented. For an auditor or assessor, the value of having a standardized, freely-available, documented checklist for verification of security controls cannot be overstated.
About the author:
Ed Moyle is a veteran of the information security industry. As a Manager with CTG, he provides practical guidance and solutions to clients worldwide. Ed has held numerous key roles in information security, including VP/ISO for Merrill Lynch and Lead Developer for biometrics firm ICT. Ed is co-author of Cryptographic Libraries for Developers, a practical resource for developers.