Introduction to The Federal Information Security Management Act (FISMA) 2002

The Federal Information Security Management Act (FISMA) 2002 established the importance of information security principles and practices within the Federal Government, noting that information security is critical to the economic and national security interests of the United States. The emphasis of the FISMA was to establish a risk-based policy for cost-effective security. With the passage of FISMA, each federal agency became responsible for developing and implementing an information security program for the information systems under its control; including any information systems that were managed by contractors. The goals of FISMA is to reduce information security risk and expenditures for the Federal agencies, specifically they were to implement “adequate security, or security commensurate with risk.

What is FISMA Compliance?

Both government agencies and commercial entities supporting a government contract to process, store, or transmit government data shall demonstrate compliance with FISMA. They must categorize their system and identify the controls that need to be implemented. Then they must demonstrate that they have implemented the controls identified in NIST 800-53 and develop the associated supporting policies, processes and procedures to support the secure operation of the system. The assessment of the security controls should be conducted by an independent assessor with a background and experience with the NIST 800-53 controls, the assessment processes and the ability to document compliance with the controls.

Based on the outcome of the assessment of the controls, an Authorizing Official (AO) will determine if the risk is acceptable to allow the system to operate in production, or to process, store and transmit government data. An AO is “a senior (federal) official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation” (SP 800-37, Rev 1).

If a commercial entity supports multiple government agencies, then they may have to get multiple ATOs as each government agency may have slightly different requirements, standards and risk appetites. FISMA compliance and granting an ATO is very much an individual agency determination and lacks reciprocity between the government agency AOs.

What are the top requirements of FISMA

While the full FISMA are extensive and very detailed, the top requirements can be summarized by the following:

1. Maintain an inventory of information systems – Every agency should have in place an inventory of information systems that are operated by, or under the control of, the agency. The inventory must include an identification of the interfaces between each system and all other systems or networks, including those not operated by, or under the control of, the agency.
2. Categorize information and information systems according to risk level – All information and information systems should be categorized based on the objectives of providing appropriate levels of information security according to a range of risk levels defined by FIPS 199 “Standards for Security Categorization of Federal Information and Information Systems.” The guidelines are provided by NIST SP 800-60 “Guide for Mapping Types of Information and Information Systems to Security Categories.”
3. Maintain a system security plan – Agencies should develop and maintain a system security plan, which is a living document that requires periodic review, modification, and plans of action and milestones for implementing security controls. The system security plan is the major input to the security certification and accreditation process for the system.
4. Utilize security controls – Federal information systems must meet the minimum security requirements which are defined in FIPS 200 “Minimum Security Requirements for Federal Information and Information Systems.” Organizations must meet the minimum security requirements by selecting the appropriate security controls and assurance requirements as described in NIST SP 800-53, “Recommended Security Controls for Federal Information Systems.” Agencies have flexibility in applying the baseline security controls to more closely fit their mission requirements and operational environments. The controls selected or planned must be documented in the System Security Plan.
5. Conduct risk assessments – Each agency should conduct risk assessments to validate its security controls and to determine if any additional controls are needed to protect agency operations (including mission, functions, image, or reputation), agency assets, individuals, other organizations, or the United States. The resulting set of security controls establishes a level of “security due diligence” for the federal agency and its contractors.
6. Certification and accreditation – Once the system documentation and risk assessment have been completed, the system’s controls must be reviewed and certified to be functioning appropriately. Based on the results of the review, the information system is accredited. The certification and accreditation process is defined in NIST SP 800-37.
7. Conduct continuous monitoring – All accredited systems are required to monitor a selected set of security controls and the system documentation should be updated to reflect changes and modifications to the system. Continuous monitoring activities include configuration management and control of information system components, security impact analyses of changes to the system, ongoing assessment of security controls, and status reporting.

This set of requirement should be adopted by financial organizations to strengthen there computer security framework. Though, most institutions may already have this minimum requirement in place, management should make it a culture of setting up their framework above the minimum requirement and by ensuring there is a periodic update of the framework.