Federal Information Security Management Act of 2002 (FISMA)
What is FISMA?
The Federal Information Security Management Act (FISMA) is a United States federal law that was enacted as Title III of the E-Government Act of 2002. It requires federal agencies to implement information security programs to ensure the confidentiality, integrity, and availability of their information and IT systems, including those provided or managed by other agencies or contractors.
Information security policy
FISMA recognizes "the importance of information security to the economic and national security interests of the United States" and is aimed at all federal agencies. It mandates that directors of federal agencies should oversee information security policies and practices that:
- Provide information security protections that adequately reflect the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, the destruction of information, or of information systems.
- Comply with the requirements of FISMA and related policies, procedures, standards, and guidelines, as developed by NIST.
- Ensure that information security management processes are integrated with agency strategic and operations planning processes.
FISMA implementation and compliance
The National Institute of Standards and Technology (NIST) was tasked by FISMA to develop information security standards (Federal Information Processing Standards) and guidelines for the minimum requirements of information security systems (published as Special Publications in the 800-series).
NIST has also developed a six-step Risk Management Framework (RMF) to enable agencies to achieve compliance with FISMA:
- Categorize information system
- Select security controls
- Implement security controls
- Assess security controls
- Authorize information system
- Monitor security controls
Each step in the RMF security lifecycle is supported by a Federal Information Processing Standard (FIPS) or Special Publication (SP). For example, Federal Information Processing Standard Publication 199 (FIPS 199) establishes security categories for information and information systems and supports Step 1 of the RMF. Compliance with FIPS is mandatory and agencies must follow NIST guidance.
Annual reporting and auditing
Agencies must undertake an annual independent evaluation to determine the effectiveness of their information security policies, procedures, and practices. The results of this audit form the basis of a report on the adequacy of the agency’s information security posture and the state of its compliance with FISMA, which must be submitted to the Office of Management and Budget (OMB) annually. The report is then submitted to Congress, which provides funding to each agency.
Although there are no formal penalties for failing to comply with the law’s requirements, there are several notable disadvantages. All federal agencies are graded annually on their FISMA compliance programs, and FISMA scorecard results are publically available.
- A low grade reflects badly on the agency, and the reputational damage caused by the resulting negative media coverage can have serious effects.
- IT breaches have occurred as a result of poor IT security postures becoming common knowledge, and agency officials have had to resign and CIOs testify before Congress.
- Agencies that fail to achieve compliance with FISMA may find themselves subject to increased oversight or find their budgets reduced by the OMB.
As of March 2012 only seven of 24 agencies were more than 90% compliant with FISMA according to FCW.
ISO27001 and FISMA
The relevance of the NIST standards developed for FISMA is limited to the mandates provided by the US legislation. ISO27001 on the other hand is an international Standard that is relevant globally and is often used by organizations with an international presence. It may be appropriate for organizations with an international footprint to consider conformance to both frameworks. This is true for multinationals such as Google, Microsoft, and Salesforce, who are compliant with both.
ISO27001 is the internationally recognized best-practice Standard that lays out the requirements of an Information Security Management System (ISMS). The latest version of the Standard, ISO27001:2013, is simple to follow and has been developed with business in mind. It presents a comprehensive and logical approach to developing, implementing, and managing an ISMS and provides associated guidance for conducting risk assessments and applying the necessary risk treatments. In addition, ISO27001:2013 has been developed in order to harmonize with other standards, so the process of auditing other ISO standards will be an integrated and smooth process, removing the need for multiple audits.
Further, the additional external validation offered by ISO27001 registration is likely to improve an organization’s cybersecurity posture while providing a higher level of confidence to customers and stakeholders—essential for securing certain global and government contracts.
Why IT Governance?
IT Governance is a specialist in the field of information security and IT Governance and has led more than 400 successful registrations to ISO27001 around the world.
IT Governance has created ISO 27001 packaged solutions to give US organizations online access to world-class expertise. Each fixed-priced solution is a combination of products and services that will enable you to implement ISO 27001 at a speed and budget appropriate to your individual needs.
Speak to an expert
One of our qualified ISO 27001 lead implementers are ready to offer you practical advice about the best approach to take for implementing an ISO 27001 project and discuss different options to suit your budget and business needs.