Federal Information Security Management Act (FISMA)
The E-Government Act (Public Law 107-347) passed by the 107th Congress and signed into law by the President in December 2002 recognized the importance of information security to the economic and national security interests of the United States. Title III of the E-Government Act, entitled the Federal Information Security Management Act (FISMA) requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other sources.
The Federal Information Security Modernization Act of 2014 amends the Federal Information Security Management Act of 2002 (FISMA) provides several modifications that modernize Federal security practices to address evolving security concerns. These changes result in less overall reporting, strengthens the use of continuous monitoring in systems, increased focus on the agencies for compliance, and reporting that is more focused on the issues caused by security incidents.
The FISMA publications are developed by NIST in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems. The FISMA publications are consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130.
As a key element of the FISMA Implementation Project, NIST also developed an integrated Risk Management Framework which effectively brings together all of the FISMA-related security standards and guidance to promote the development of comprehensive and balanced information security programs by agencies.
FISMA 2014 required OMB to amend/revise OMB Circular A-130 to eliminate inefficient and wasteful reporting and reflect changes in law and advances in technology. Specific to security and privacy, the updated A-130 emphasizes their roles in the Federal information lifecycle and represents a shift from viewing security and privacy requirements as compliance exercises to crucial elements of a comprehensive, strategic, and continuous risk-based program at Federal agencies.
- The National Institute of Standards and Technology has made available guidelines for applying risk management to Federal Information Systems. Refer to http://csrc.nist.gov/groups/SMA/fisma/rmf-training.html
- Go through the course at http://csrc.nist.gov/groups/SMA/fisma/Risk-Management-Framework/rmf-training/index.html (Audio + slides)
Special Publication 800-53 is to provide guidelines for selecting and specifying security controls for systems supporting the executive agencies of the federal government.
- Providing a recommendation for minimum security controls for systems categorized in accordance with FIPS 199, Standards for Security Categorization of Federal Information and Information Systems;
- This publication is intended to provide guidance to federal agencies implementing FIPS 200, Minimum Security Requirements for Federal Information and Information Systems.
SC information system = {(confidentiality, impact), (integrity, impact), (availability, impact)},
where the acceptable values for potential impact are low, moderate, or high.
Since the potential impact values for confidentiality, integrity, and availability may not always be the same for a particular information system, the high water mark concept must be used to determine the overall impact level of the information system. Thus, a low-impact system is an information system in which all three of the security objectives are low. A moderate-impact system is an information system in which at least one of the security objectives is moderate and no security objective is greater than moderate. And finally, a high-impact system is an information system in which at least one security
objective is high. The determination of information system impact levels must be accomplished prior to the consideration of minimum security requirements and the selection of appropriate security controls for those information systems.
The security-related areas include:
- (i) access control;
- (ii) awareness and training;
- (iii) audit and accountability;
- (iv) certification, accreditation, and security assessments;
- (v) configuration management;
- (vi) contingency planning;
- (vii) identification and authentication;
- (viii) incident response;
- (ix) maintenance;
- (x) media protection;
- (xi) physical and environmental protection;
- (xii) planning;
- (xiii) personnel security;
- (xiv) risk assessment;
- (xv) systems and services acquisition;
- (xvi) system and communications protection;
- (xvii) system and information integrity.
The seventeen areas represent a broad-based, balanced information security program that addresses the management, operational, and technical aspects of protecting federal information and information systems.
