Every week we bring you various compliance checks like PCI-DSS, HIPAA, ISO 27001 and SOX so as to make our readers aware of the various checklists that businesses need to follow in order to be compliant with it. Today we will discuss about FISMA.

FISMA stands for the Federal Information Security Management Act (FISMA). It was signed into law part of the Electronic Government Act of 2002. This act is required for the federal agencies to develop, document, and implement an information security management program for giving safeguard to their information systems which even includes those who are provided or managed by another agency, contractor, or third party.

Purpose of FISMA

The National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) are assigned specific responsibilities by FISMA in order to strengthen information security systems. The head of each agency is required to implement policies and procedures to cost-effectively reduce information technology security risks to an acceptable level.

National Institute of Standards and Technology (NIST)

NIST is responsible for developing standards, guidelines, and associated methods and techniques for providing adequate information security for all agency operations and assets, excluding national security systems. NIST works closely with federal agencies to improve their understanding and implementation of FISMA to protect their information and information systems and publishes standards and guidelines which provide the foundation for strong information security programs at agencies.

It outlines nine steps toward compliance with FISMA:

  • Categorize the information to be protected.

  • Select minimum baseline controls.

  • Refine controls using a risk assessment procedure.

  • Document the controls in the system security plan.

  • Implement security controls in appropriate information systems.

  • Assess the effectiveness of the security controls once they have been implemented.

  • Determine agency-level risk to the mission or business case.

  • Authorize the information system for processing.

  • Monitor the security controls on a continuous basis.

Information Security Program

This program’s main objective is to ensure that the core information security principles namely confidentiality, integrity, authenticity, non-repudiation and availability of information and information systems are provided. The key elements of the program can be summarized as below:

Assignment of Responsibilities

This ensures that the right officials are assigned security responsibilities.

Periodic Assessments of Risk

This includes the risk and consequent impact on the agency and would eventually result from the unauthorized access, disclosure, use, disruption, destruction or modification of information and information systems supporting an agency’s operations and assets.

Policies and Procedures

The policies and procedures are being made to reduce the risks and to ensure that the security of information is addressed throughout the life cycle of each organizational information system in a properly documented manner and this type of procedures include detecting, responding, reporting to security incidents and procedures to ensure continuity of operations.

Security Awareness Training

All the personnel including the contractors are required to be trained in regards to information security principles and the security risks related to their job requirements, and an agency’s policies and procedures.

Periodic Testing and Evaluation

The test should be done annually after some days that the effectiveness of information security policies, procedures, practices.

A Process for Planning, Implementing, Evaluating, and Documenting Remedial Actions: It also has a process for addressing any deficiencies that might occur in the information security policies, procedures, and practices of the organization which needs to be implemented and documented by the agency.

Failure to Comply

If anyone fails a FISMA inspection, then it might have the following negative consequences:

  • Significant administrative sanctions

  • Computer breaches

  • Unfavorable publicity

  • Reduction of IT budget

There are many who can help federal agencies with all the requirements mandated by FISMA.

Information Security Program Gap Analysis

The gap analysis of them is to help review the agency information security program and then identify it for the deficiencies and gaps that prevent the agency from achieving compliance.

Information Security Program Implementation

Enterprise Risk Management (ERM can provide support and guidance for the implementation of the information security program including the following key components:

  • Perform Risk Assessment

  • Develop and/or review Policies and Procedures

  • Provide Security Awareness Training

  • For testing and evaluating the security controls

  • For creating and documenting a formal agency-wide remediation program