The Federal Information Security Management Act (FISMA) is United States legislation that defines a framework of guidelines and security standards to protect government information and operations. This risk management framework was signed into law as part of the Electronic Government Act of 2002, and later updated and amended.
Since 2002, FISMA's scope has widened to apply to state agencies that administer federal programs, or private businesses and service providers that hold a contract with the U.S. government. Reduced federal funding or other penalties may result from noncompliance.
The Electronic Government Act was introduced in order to improve the management of electronic government services and processes, while also managing federal spending around information security. FISMA was one of the more important regulations in the Electronic Government Act since it brought forth a method to reduce federal data security risks while emphasizing cost-effectiveness. A set of security policies were made for federal agencies to meet.
Specifically, FISMA requires federal agencies, and others it applies to, to develop, document and implement agency-wide information security programs. These programs should be able to protect sensitive data. The act also pushes some responsibilities to the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB). Agency officials, like chief information officers and inspector generals, should conduct annual reviews of an agency's information security program, reporting those reviews to OMB. OMB will then use the data to assist in its oversight responsibilities as well as forwarding annual reports to Congress.
NIST is tasked with developing information regarding standards and guidelines such as minimum security requirements.
FISMA assigns responsibilities to various agencies to ensure the security of data in the federal government. The act requires program officials, and the head of each agency, to conduct annual reviews of information security programs, with the intent of keeping risks at or below specified acceptable levels in a cost-effective, timely and efficient manner. The NIST outlines numerous steps toward compliance with FISMA:
- Risk categorization. Information systems should be categorized based on objectives that provide an appropriate level of security. Categorization should be done by order of risk level, which makes sure sensitive information has a high level of security.
- Select minimum baseline controls. Federal systems must meet minimum security requirements. Not every security control has to be met, just ones most relevant to the specific organization and the systems they use.
- Document the controls in the system security plan. An inventory of all the information and systems used should be kept, as well as the interfaces between systems and networks. Documentation on the baseline controls used to protect these systems should also be kept. Security controls should then be implemented in appropriate information systems.
- Refine controls using a risk assessment procedure. This should be done to validate security controls and to determine if any other controls are needed. Assess the effectiveness of the security controls once they have been implemented.
- Annual security reviews must be conducted by program officials and agency heads in order to obtain a certification. This acts as a sort of security certification. Certification will prove a system is accredited. Certification and accreditation are defined in NIST SP 800-37.
- Monitor the security controls on a continuous basis. Accredited systems are required to continually monitor systems. This should help organizations to respond quickly to security incidents or data breach Documentation should be updated if any changes are made. Continuous monitoring should include status reporting, configuration management and security controls, as well as any changes made to a system.
These are some of the major steps. Other steps include determining the agency-level risk to the business case and authorizing information systems for processing.
FISMA compliance best practices
To ensure compliance with FISMA, here are some best practices to follow:
- Stay up to date with any new FISMA standards or NIST guidelines.
- Keep a record of FISMA compliances. Keeping any detailed records on steps taken to maintain compliance should help with any audits regarding FISMA.
- Classify data based on its level of sensitivity when it's created. This will ensure sensitive data is treated securely.
- Encrypt sensitive data automatically. A tool can be used to do this automatically, based on classification levels.
Pros and cons of FISMA
FISMA allows for:
- An increase in the security of federal information, both within federal and state agencies.
- Any business within the private sector to ensure that they're using the best security policies.
- More baseline controls and security plans, and more of an ability to respond to vulnerabilities.
- Continuous monitoring to provide a maintained level of security and for an organization to respond to threats quickly.
- Flexibility in implementation.
- A good starting point for implementing security measures.
There are also concerns around FISMA, though. For example:
- Sharing cybersecurity information between agencies may be difficult.
- Improvements to FISMA need improvements over time as new threats come about.
- FISMA measures security planning as opposed to measuring information security.
- Controls may be easy to confuse.
FISMA is best used as a starting point for implementing security measures.