Federal Information Security Management Act (FISMA)
Federal Information Security Management Act (FISMA) is the Federal Information Security Management Act of 2002. It was passed as Title III of the E-Government Act (Public Law 107-347) in December 2002. FISMA requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
FISMA Legislation Overview
“Each federal agency shall develop, document, and implement an agency-wide information
security program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source…” (Federal Information Security Management Act of 2002)
FISMA Implementation Project
The FISMA Implementation Project was established in January 2003 to produce several key security standards and guidelines required by the FISMA legislation. As a key element of the FISMA Implementation Project, NIST also developed additional guidance (in the form of Special Publications) and a Risk Management Framework which effectively integrates all of NIST’s FISMA-related security standards and guidelines in order to promote the development of comprehensive, risk-based, and balanced information security programs by federal agencies. The ultimate objective of the Risk Management Framework and the associated publications is to enable agencies to conduct the day-to-day operations of the agency and to accomplish the agency’s stated missions with adequate security, or security commensurate with risk, including the magnitude of harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information.
The ultimate objective is to conduct the day-to-day operations of the agency and to accomplish the agency’s stated missions with adequate security, or security commensurate with risk, including the magnitude of harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information. As a key element of the FISMA Implementation Project, NIST also developed an integrated Risk Management Framework which effectively brings together all of the FISMA-related security standards and guidance to promote the development of comprehensive and balanced information security programs by agencies.
U.S. Critical Infrastructures
A U.S. Critical Infrastructures Definition, provided by the USA Patriot Act (P.L. 107-56), may be the following: “…systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact
on security, national economic security, national public health and safety, or any combination of those matters.”
Federal Information Security Management Act (FISMA) Mentioned In The Federal Acquisition Regulations
There is a strong reference to FISMA in the Federal Acquisition Regulations. The Federal Acquisition Regulations link is provided at: http://www.acquisition.gov/far. Page 7.1-2, FAR Section 7.103 states:
“Agency-head responsibilities— The agency head or a designee shall prescribe procedures for ensuring that agency planners on information technology acquisitions comply with the information technology security requirements in the Federal Information Security Management Act (44 U.S.C. 3544), OMB’s implementing policies including Appendix III of OMB Circular A-130, and guidance and standards from the Department of Commerce’s National Institute of Standards and Technology.”
Therefore, the FAR points to FISMA, OMB Circular A-130, and the security standards and guidance developed by the National Institute of Standards and Technology at the Department of Commerce.
NIST’s Role In FISMA
FISMA reaffirmed NIST’s role of developing information security standards (Federal Information Processing Standards) and guidelines (Special Publications in the 800-series) for non-national security federal information systems and assigned NIST some specific responsibilities, including the development of:
- Standards to be used by Federal agencies to categorize information and information systems based on the objectives of providing appropriate levels of information security according to a range of risk levels;
- Guidelines recommending the types of information and information systems to be included in each category; and
- Minimum information security requirements (management, operational, and technical security controls) for information and information systems in each such category.
Resources
Legislation, Directives, And Policies
Public Law 107-347 Section III
Federal Information Security Management Act of 2002
December 2002
Homeland Security Presidential Directive #7
Critical Infrastructure Identification, Prioritization, and Protection
December 2003
OMB Circular A-130, Appendix III
Security of Federal Automated Information Resources
November 2003
FISMA Management And Reporting Tools
OMB Security Line of Business Solutions
Department of Justice
Cyber Security Asset and Management (CSAM) Tool Kit
Further Reading
FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems;
FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems;
NIST Special Publication 800-18, Revision 1, Guide for Developing Security Plans for Federal Information Systems;
NIST Special Publication 800-30, Revision 1, Risk Assessment Guideline (October 2008);
NIST Special Publication 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach;
NIST Special Publication 800-39, Managing Risk from Information Systems: An Organizational Perspective (DRAFT);
NIST Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations;
NIST Special Publication 800-53A Revision 1, Guide for Assessing the Security Controls in Federal Information Systems;
NIST Special Publication 800-59, Guide for Identifying an Information System as a National Security System; and
NIST Special Publication 800-60 Revision 1, Guide for Mapping Types of Information and Information Systems to Security Categories.
Leave a Reply