Federal Information Security Management Act of 2002

The Federal Information Security Management Act of 2002 (FISMA, , et seq.) is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002 (, ). The act recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. In FY 2008, federal agencies spent $6.2 billion securing the government's total information technology investment of approximately $68 billion or about 9.2 percent of the total information technology portfolio.

This law has been amended by the Federal Information Security Modernization Act of 2014 (), sometimes known as FISMA2014 or FISMA Reform. FISMA2014 struck subchapters II and III of chapter 35 of title 44, United States Code, amending it with the text of the new law in a new subchapter II ().

Purpose of the act

FISMA assigns specific responsibilities to federal agencies, the National Institute of Standards and Technology (NIST), and the Office of Management and Budget (OMB) in order to strengthen information security systems. In particular, FISMA requires the head of each agency to implement policies and procedures to cost-effectively reduce information technology security risks to an acceptable level. NIST develops standards, metrics, tests, and validation programs to promote, measure, and validate the security in information systems and services. NIST hosts the following:

FISMA implementation project

Compliance framework defined by FISMA and supporting standards

FISMA defines a framework for managing information security that must be followed for all information systems used or operated by a U.S. federal government agency in the executive or legislative branches, or by a contractor or other organization on behalf of a federal agency in those branches. This framework is further defined by the standards and guidelines developed by NIST.

Inventory of information systems

FISMA requires that agencies have an information systems inventory in place.

According to FISMA, the head of each agency shall develop and maintain an inventory of major information systems (including major national security systems) operated by or under the control of such agency provides guidance on determining system boundaries.

Categorize information and information systems according to risk level

All information and information systems should be categorized based on the objectives of providing appropriate levels of information security according to a range of risk levels provides the definitions of security categories. The guidelines are provided by NIST SP 800-60 "Guide for Mapping Types of Information and Information Systems to Security Categories."

The overall FIPS 199 system categorization is the "high water mark" for the impact rating of any of the criteria for information types resident in a system. For example, if one information type in the system has a rating of "Low" for "confidentiality," "integrity," and "availability," and another type has a rating of "Low" for "confidentiality" and "availability" but a rating of "Moderate" for "integrity," then the impact level for "integrity" also becomes "Moderate".

Security controls

Federal information systems must meet the minimum security requirements.

A risk assessment starts by identifying potential threats and vulnerabilities and mapping implemented controls to individual vulnerabilities. One then determines risk by calculating the likelihood and impact that any given vulnerability could be exploited, taking into account existing controls. The culmination of the risk assessment shows the calculated risk for all vulnerabilities and describes whether the risk should be accepted or mitigated. If mitigated by the implementation of a control, one needs to describe what additional Security Controls will be added to the system.

NIST also initiated the Information Security Automation Program (ISAP) and Security Content Automation Protocol (SCAP) that support and complement the approach for achieving consistent, cost-effective security control assessments.

System security plan

Agencies should develop policy on the system security planning process.

Security accreditation is the official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations, agency assets, or individuals based on the implementation of an agreed-upon set of security controls. Required by OMB Circular A-130, Appendix III, security accreditation provides a form of quality control and challenges managers and technical staffs at all levels to implement the most effective security controls possible in an information system, given mission requirements, technical constraints, operational constraints, and cost/schedule constraints. By accrediting an information system, an agency official accepts responsibility for the security of the system and is fully accountable for any adverse impacts to the agency if a breach of security occurs. Thus, responsibility and accountability are core principles that characterize security accreditation. It is essential that agency officials have the most complete, accurate, and trustworthy information possible on the security status of their information systems in order to make timely, credible, risk-based decisions on whether to authorize operation of those systems. Past GAO chief technology officer Keith Rhodes said that FISMA can and has helped government system security but that implementation is everything, and if security people view FISMA as just a checklist, nothing is going to get done.

References

External links

NIST Special Publications Library
NIST FISMA Implementation Project Home Page
Full text of FISMA
OMB Memoranda
Report on 2004 FISMA scores
FISMA Resources
Rsam: Automated Platform for FISMA Compliance and Continuous Monitoring