Federal Information Security Management Act (FISMA)
The Federal Information Security Management Act (FISMA) is United States legislation that defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats. FISMA was signed into law part of the Electronic Government Act of 2002.
The Electronic Government Act was introduced in order to improve the management of electronic government services and processes. FISMA was one of the more important regulations in the act, because it brought forth a method to reduce security risks to federal data while managing spending on information security. A set of guidelines were made to have federal agencies comply with and meet.Content Continues Below
Since 2002, FISMA’s scope has widened to apply to state agencies that administer federal programs, or private businesses that are within a contract with the government. Reduced federal funding or other penalties may result from non-compliance.
FISMA assigns responsibilities to various agencies to ensure the security of data in the federal government. The act requires program officials, and the head of each agency, to conduct annual reviews of information security programs, with the intent of keeping risks at or below specified acceptable levels in a cost-effective, timely and efficient manner. The National Institute of Standards and Technology ( NIST ) outlines nine steps toward compliance with FISMA:
- Categorize the information to be protected.
- Select minimum baseline controls.
- Refine controls using a risk assessment procedure.
- Document the controls in the system security plan.
- Implement security controls in appropriate information systems.
- Assess the effectiveness of the security controls once they have been implemented.
- Determine agency-level risk to the mission or business case.
- Authorize the information system for processing.
- Monitor the security controls on a continuous basis.
Pros and Cons of FISMA
FISMA in general allows for an increase in the security of federal information. Both within federal and state agencies. Moreover, any business withing the private sector will be ensured that they’re using best security practices as well. In addition, more baseline controls and security plans mean more of an ability to respond to vulnerabilities.
There are also concerns around FISMA though. For example, sharing cybersecurity information between agencies may be difficult. In addition, improvements to FISMA has had to, and will continue to, need improvements over time as new threats come about.