Federal Information Security Management Act (FISMA)
Protecting the Nation's Critical Information Infrastructure. To promote the development of key security standards and guidelines to support the implementation of and compliance with the Federal Information Security Management Act including:
- Standards for categorizing information and information systems by mission impact.
- Standards for minimum security requirements for information and information systems.
- Guidance for selecting appropriate security controls for information systems.
- Guidance for assessing security controls in information systems and determining security control effectiveness.
- Guidance for certifying and accrediting information systems.
The E-Government Act (Public Law 107-347) passed by the 107th Congress and signed into law by the President in December 2002 recognized the importance of information security to the economic and national security interests of the United States. Title III of the E-Government Act, entitled the Federal Information Security Management Act (FISMA) requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
An effective information security program should include:
- Periodic assessments of risk, including the magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the organization
- Policies and procedures that are based on risk assessments, cost-effectively reduce information security risks to an acceptable level, and ensure that information security is addressed throughout the life cycle of each organizational information system
- Subordinate plans for providing adequate information security for networks, facilities, information systems, or groups of information systems, as appropriate
- Security awareness training to inform personnel (including contractors and other users of information systems that support the operations and assets of the organization) of the information security risks associated with their activities and their responsibilities in complying with organizational policies and procedures designed to reduce these risks
- Periodic testing and evaluation of the effectiveness of information security policies, procedures, practices, and security controls to be performed with a frequency depending on risk, but no less than annually
- A process for planning, implementing, evaluating, and documenting remedial actions to address any deficiencies in the information security policies, procedures, and practices of the organization
- Procedures for detecting, reporting, and responding to security incidents
- Plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the organization.
FISMA, along with the Paperwork Reduction Act of 1995 and the Information Technology Management Reform Act of 1996 (Clinger-Cohen Act), explicitly emphasizes a risk-based policy for cost-effective security. In support of and reinforcing this legislation, the Office of Management and Budget (OMB) through Circular A-130, Appendix III, Security of Federal Automated Information Resources, requires executive agencies within the federal government to:
- Plan for security
- Ensure that appropriate officials are assigned security responsibility
- Periodically review the security controls in their information systems
- Authorize system processing prior to operations and, periodically, thereafter
These management responsibilities presume that responsible agency officials understand the risks and other factors that could adversely affect their missions. Moreover, these officials must understand the current status of their security programs and the security controls planned or in place to protect their information and information systems in order to make informed judgments and investments that appropriately mitigate risk to an acceptable level. The ultimate objective is to conduct the day-to-day operations of the agency and to accomplish the agency's stated missions with adequate security, or security commensurate with risk, including the magnitude of harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information. As a key element of the FISMA Implementation Project, NIST also developed an integrated Risk Framework which effectively brings together all of the FISMA-related security standards and guidance to promote the development of comprehensive and balanced information security programs by agencies.
Phase I: Standards and Guidelines Development (2003-2008) The first phase of the FISMA Implementation Project focuses on the development of the security standards and guidance required to effectively implement the provisions of the legislation. The implementation of the NIST standards and guidance will help agencies create robust information security programs and effectively manage risk to agency operations, agency assets, and individuals. The publications include:
- FIPS Publication 199, Standards for Security Categorization of Federal Information and Information System.
- FIPS Publication 200, Minimum Security Requirements for Federal Information and Federal Information Systems.
- NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems.
- NIST Special Publication 800-37 Revision 1, Guide for Security Authorization of Federal Information Systems: A Security Lifecycle Approach.
- NIST Special Publication 800-39, (second public draft) NIST Risk Management Framework.
- NIST Special Publication 800-53 Revision 2, Recommended Security Controls for Federal Information Systems.
- NIST Special Publication 800-53 Revision 3, Recommended Security Controls for Federal Information Systems.
- NIST Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems.
- NIST Special Publication 800-59, Guide for Identifying an Information System as a National Security System.
- NIST Special Publication 800-60, Revision 1, Guide for Mapping Types of Information and Information Systems to Security.
Phase II: Organizational Credentialing Program (2007-2010) The second phase of the FISMA Implementation Project will focus on the development of a program for credentialing public and private sector organizations to provide security assessment services for federal agencies. The security services involve the comprehensive assessment of the management, operational, and technical security controls in federal information systems including the assessment of the information technology products and services used in security control implementation. The security assessment services will determine the extent to which the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
To support implementation of the Organizational Credentialing Program and aid security assessments, this phase of the FISMA Implementation Project will also include the following initiatives;
- Training Initiative: This initiative will include development of training courses, NIST publication Quick Start Guides (QSG’s), and Frequently Asked Questions (FAQ’s) to establish a common understanding of the NIST standards and guidelines supporting the NIST Risk Management Framework.
- Product and Services Assurance Assessment Initiative: This initiative will include defining criteria and guidelines for evaluating products and services used in the implementation of SP 800-53-based security controls.
- Support Tools Initiative: This initiative will include identifying or developing common protocols, programs, reference materials, checklists, and technical guides supporting implementation and assessment of SP 800-53-based security controls in information systems.
- Harmonization Initiative: This initiative will include identifying common relationships and the mappings of FISMA standards, guidelines and requirements with: (i) ISO 270000 series information security management standards; and (2) ISO 9000 and 17000 series quality management, and laboratory testing and accreditation standards. This harmonization is important for minimizing duplication of effort for organizations that must demonstrate compliance to both FISMA and ISO requirements.
Phase III: Security Tool Validation Program (2008-2009) Phase III of the FISMA Implementation Project has been eliminated as a separate phase, but will be incorporated into Phase II and use existing IT product testing, evaluation, and validation programs.