The Federal Information Security Management Act of 2002 (FISMA) is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002. Federal government systems are entrusted with transmitting some of the nation’s most sensitive and critical information. The impact of a data breach or service disruption to a government system would not only threaten privacy for citizens, but could also have national security implications.
What is FISMA?
The Federal Information Security Management Act (FISMA) was created to govern the management of information security in the Federal government. FISMA acts as the umbrella legislation for several standards that collectively support the overall FISMA mandate. The way in which each individual standard fits into the Federal government’s security compliance ecosystem is illustrated by the FISMA Risk Management Framework (RMF). The standards provide guidance on specific operational, technical and management security controls that should be used to guide the implementation of hands-on security practices and configuration settings. Key security standards for FISMA are detailed in NIST Special Publication 800-53 (simply referred to as NIST SP 800-53), as well as the Federal Information Processing Standards (FIPS), specifically in FIPS 199 and FIPS 200. FISMA requires covered entities to integrate the guidance in all three of these standards, in addition to other related Office of Management and Budget (OMB) mandates.
The goal of FISMA is to ensure that Federal departments and agencies apply risk-based, cost-effective measures to enact adequate security measures to mitigate the risk of the unauthorized access, use, disclosure, disruption, modification, or destruction of information. Covered entities are required to apply specific security controls to all federal data and information systems to protect against data loss, service interruptions, or threats to national security. The OMB is responsible for reviewing FISMA audit documentation annually from each covered entity, and reporting its findings to the U.S. Congress. After the FISMA audit documentation is reviewed and approved by an accrediting official, the accreditation authorization may last up to 3 years, as long as no significant changes are made. However, as systems are modified, additional controls or processes may need to be implemented. As a result, each covered entity is responsible for conducting on-going monitoring in order to keep track of whether they need to be recertified against FISMA requirements.
Who needs to be FISMA compliant?
All government agencies, government contractors, and organizations that exchange data directly with government systems must be FISMA compliant. This may include such diverse entities as data clearinghouses, state government departments, and government military subcontractors if data is exchanged directly with Federal government systems. Coverage may expand to include public and private sector entities that utilize manage or run critical infrastructures if FISMA security controls are combined with the Consensus Audit Guidelines as part of the new U.S. Information and Communications Enhancement (ICE) Act.
Penalties for non-compliance
Government agencies that do not meet FISMA compliance standards may be sanctioned by having their budgets cut. In the case of government subcontractors, they risk being terminated from existing contracts, and may become ineligible for bidding on future government contracts. For example, NIST and OMB guidance support the usage of Security Content Automation Protocol (SCAP) compliant tools as part of meeting FISMA requirements in an effort to accelerate the adoption of vulnerability assessment automation tools. The General Services Administration (GSA) revision to the Federal Acquisition Regulation (FAR), together with the provisions in the SmartBUY program, prohibit procurement officers from authorizing purchases of vulnerability scanners unless those scanners prove to be SCAP compliant. The OMB can sanction organizations that fail to adhere to these procurement constraints.
Contact MBM Consulting Services for a free evaluation of your FISMA requirements