The Federal Information Security Management Act (FISMA) and Compliance Requirements

An introduction to FISMA

The Federal Information Security Management Act (FISMA) is a landmark piece of federal legislation that was enacted by the United States in 2002 under the E-Government Act of 2002. The federal government enacted the law in order to acknowledge the growing importance of information security to the political, economic, military, and financial interests of the United States. FISMA requires all federal agencies to review their policies related to information security on an annual basis and then inform the Office of Management and Budget (OMB) of the results.

In its most basic level, FISMA requires all the federal government agencies to develop new processes that document and provide information security for all the data systems that supported the functions and assets of the agency in question. The act is designed to increase the security of crucial government information and establish a “risk-based policy for cost-effective security.”

Agencies that govern FISMA compliance policies?

The National Institute of Standards and Technology (NIST) developed guidelines for all the relevant agencies in order to ensure FISMA compliance among all agencies. The Office of Management and Budget (OMB) exercises oversight authority to define methods for standardizing FISMA compliance reports by agencies. The OMB also presents these reports to Congress. In 2014, FISMA was amended to provide the Department of Homeland Security with the authority to implement and oversee processes and policies for information systems.

Under FISMA, the OMB is required to define what constitutes a major breach of information security. Distinction of authority between the NIST and the OMB is clear. NIST develops standards pertaining to the provision of information security to the other federal agencies. The OMB on the other hand, makes assessments based on those standards to determine if compliance requirements are being fulfilled. The Computer Security Division of the Information Technology Laboratory is the division of the NIST that develops and tests the various programs, applications and systems that provide network security to those agencies and bodies that fall under FISMA jurisdiction.

What does FISMA compliance constitute and who must maintain compliance?

The NIST develops standards that outline how agencies are to be FISMA compliant. There is no FISMA certification as such, and agencies need to implement the controls defined in NIST 800-53. The agencies must develop the infrastructure to implement the associated procedures and policies. This ruling applies to both executive and legislative agencies.

FISMA compliance is required for the following bodies and organizations

• All Federal departments and Agencies

• All state agencies that support or take part in federally funded programs such as the disbursement of student aid, unemployment benefits, and Medicare and health services covered under the affordable care act.

• Recently, FISMA expanded to require compliance from all private sector firms that have a relationship with the federal government. All vendors and suppliers who hold federal contracts must comply. In addition, those receiving federal funding or are participating as a supporter or beneficiary of a federal program may need to comply.

Basic outline of compliance requirements

The NIST outlines basic steps toward compliance with FISMA. Under the act:

• All agencies must have a dedicated inventory for information systems. The head of each agency will be directly responsible for developing and maintaining.

• The agency must determine the constitution of the information system under its jurisdiction.

• Data and data systems are categorized according to risk levels. The definition of each risk level and security category is provided under FIPS 199.

Each tier of system security must have a dedicated plan and NIST SP-800-18 defines concepts of the system security plan. This plan is crucial as it determines the accreditation and security certification process for the information system of each agency. Risk assessment is also a critical aspect of the compliance process. Of course, all federal information systems must meet the standards set by NIST Special Publication 800-53 and FIPS 200

The accreditation and certification process takes places according to the standards defined by NIST SP 800-37. An independent assessor conducts the assessment process and then passes on the results to an authorizing official (AO). The AO is a federal employee who has the “ultimate” authority and therefore formal responsibility. Finally, the AO demonstrates sufficient compliance on the agency’s behalf.