Term:Federal Information Security Management Act - FISMA


Description:

The Federal Information Security Management Act (FISMA) was passed in 2002 as a part of the E-Government Act. FISMA defines specifications regarding information security, for information and information systems that federal agencies must adhere to. Additionally, these information security standards must also be met by any other entity that supports the operations and assets of a federal agency.
The Act was divided into three phases for implementation purposes:
Phase I: Standards and Guidelines Development (2003-2008)
Phase II: Organizational Credentialing Program (2007-2010)
Phase III: Security Tool Validation Program (2008-2009)

FISMA by using its applications, assigns various responsibilities to agencies in which the agencies ensure data security in the federal government. NIST or The National Institute of Standards and Technology help to conduct annual reviews of the information security programs. NIST helps to keep risks, levels in cost effectiveness at a reasonable and low level. With this in mind NIST has created a nine step compliance system in which it grades FISMA on, [1]

  1. Categorize the information to be protected.
  2. Select minimum baseline controls.
  3. Refine controls using a risk assessment procedure.
  4. Document the controls in the system security plan.
  5. Implement security controls in appropriate information systems.
  6. Assess the effectiveness of the security controls once they have been implemented.
  7. Determine agency-level risk to the mission or business case.
  8. Authorize the information system for processing.
  9. Monitor the security controls on a continuous basis.

This information was cited at [1].

Applications:


FISMA states the following as their role:
‘‘(1) provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets;
‘‘(2) recognize the highly networked nature of the current Federal computing environment and provide effective government wide management and oversight of the related information security risks, including coordination of information security efforts throughout the civilian, national security, and law enforcement communities;
‘‘(3) provide for development and maintenance of minimum controls required to protect Federal information and information systems;
‘‘(4) provide a mechanism for improved oversight of Federal agency information security programs;
‘‘(5) acknowledge that commercially developed information security products offer advanced, dynamic, robust, and effective information security solutions, reflecting market solutions for the protection of critical information infrastructures important to the national defense and economic security of the nation that are designed, built, and operated by the private sector;
‘‘(6) recognize that the selection of specific technical hardware and software information security solutions should be left to individual agencies from among commercially developed products.

Web Resources:

http://csrc.nist.gov/groups/SMA/fisma/index.html

http://searchsecurity.techtarget.com/definition/Federal-Information-Security-Management-Act




Related Terminology:
NIST (National Institute of Standards and Technology), responsible for the development of information security standards and guidelines for federal agencies.
OMB (Office of Management and Budget), as FISMA requires federal agencies to supply annual reports on their compliance to the act, this office is responsible for gather this data for reporting purposes to Congress
Information Technology (as defined by FISMA), means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide—
‘‘(A) integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity;
‘‘(B) confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information;
‘‘(C) availability, which means ensuring timely and reliable access to and use ofinformation.


Citations/References:
http://csrc.nist.gov/groups/SMA/fisma/index.html http://csrc.nist.gov/drivers/documents/FISMA-final.pdf Graphics: n/a

[1] http://searchsecurity.techtarget.com/definition/Federal-Information-Security-Management-Act