Post

FISMA

Posted
By Erich Mair 2 min read

Introduction

The Federal Information Security Modernization Act (FISMA) requires government agencies to implement an information security program that effectively manages risk.

The National Institute of Standards and Technology (NIST) is a non-regulatory agency that has issued specific guidance for complying with FISMA.

Body

FISMA assigns responsibilities to various agencies to ensure the security of data in the federal government. The act requires program officials (and the head of each agency) to conduct annual reviews of information security programs. The goal of these review is to ensure that risk is kept at or below specified acceptable levels in a cost-effective, timely and efficient manner. The NIST outlines numerous steps toward compliance with FISMA:

  1. Risk categorization: Information systems should be categorized based on objectives that provide an appropriate level of security. Categorization should be done by order of risk level, which makes sure sensitive information has a high level of security.
  2. Select minimum baseline controls: Federal systems must meet minimum security requirements. Not every security control has to be met, just ones most relevant to the specific organization and the systems they use.
  3. Document the controls in the system security plan: An inventory of all the information and systems used must be kept, as well as the interfaces between systems and networks. Documentation on the baseline controls used to protect these systems should also be kept. Security controls should then be implemented in appropriate information systems.
  4. Refine controls using a risk assessment procedure: This should be done to validate security controls and to determine if any other controls are needed. Assess the effectiveness of the security controls once they have been implemented.
  5. Annual security reviews: These annual review must be conducted by program officials and agency heads in order to obtain a certification. This acts as a sort of security certification. Certification will prove a system is accredited. Certification and accreditation are defined in NIST SP 800-37.
  6. Monitor the security controls on a continuous basis: Accredited systems are required to continually monitor systems. This should help organizations to respond quickly to security incidents or data breach Documentation should be updated if any changes are made. Continuous monitoring should include status reporting, configuration management and security controls, as well as any changes made to a system.

These are some of the major steps. Other steps include determining the agency-level risk to the business case and authorizing information systems for processing.

Source: https://csrc.nist.gov/projects/risk-management/fisma-background

Security Frameworks, Defensive Frameworks
Security Frameworks
This post is licensed under CC BY 4.0 by the author.