What is FISMA (Federal Information Security Management Act)?
The Federal Information Security Management Act (FISMA) is a United States federal law that was enacted as Title III of the E-Government Act of 2002. It requires federal agencies to implement information security programs to ensure the confidentiality, integrity, and availability of their information and IT systems, including those provided or managed by other agencies or contractors.
Information security policy
FISMA recognizes "the importance of information security to the economic and national security interests of the United States" and is aimed at all federal agencies. It mandates that directors of federal agencies should oversee information security policies and practices that:
- Provide information security protections that adequately reflect the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, the destruction of information, or of information systems.
- Comply with the requirements of FISMA and related policies, procedures, standards, and guidelines, as developed by NIST.
- Ensure that information security management processes are integrated with agency strategic and operations planning processes.
FISMA implementation and compliance
The National Institute of Standards and Technology (NIST) was tasked by FISMA to develop information security standards (Federal Information Processing Standards) and guidelines for the minimum requirements of information security systems (published as Special Publications in the 800-series).
NIST has also developed a six-step Risk Management Framework (RMF) to enable agencies to achieve compliance with FISMA:
- Categorize information system
- Select security controls
- Implement security controls
- Assess security controls
- Authorize information system
- Monitor security controls
Each step in the RMF security lifecycle is supported by a Federal Information Processing Standard (FIPS) or Special Publication (SP). For example, Federal Information Processing Standard Publication 199 (FIPS 199) establishes security categories for information and information systems and supports Step 1 of the RMF.
Compliance with FIPS is mandatory and agencies must follow NIST guidance.
Annual reporting and auditing
Agencies must undertake an annual independent evaluation to determine the effectiveness of their information security policies, procedures, and practices. The results of this audit form the basis of a report on the adequacy of the agency’s information security posture and the state of its compliance with FISMA, which must be submitted to the Office of Management and Budget (OMB) annually. The report is then submitted to Congress, which provides funding to each agency.
Although there are no formal penalties for failing to comply with the law’s requirements, there are several notable disadvantages. All federal agencies are graded annually on their FISMA compliance programs, and FISMA scorecard results are publically available.
- A low grade reflects badly on the agency, and the reputational damage caused by the resulting negative media coverage can have serious effects.
- IT breaches have occurred as a result of poor IT security postures becoming common knowledge, and agency officials have had to resign and CIOs testify before Congress.
- Agencies that fail to achieve compliance with FISMA may find themselves subject to increased oversight or find their budgets reduced by the OMB.
As of March 2012 only seven of 24 agencies were more than 90% compliant with FISMA according to FCW.
ISO 27001 and FISMA
The relevance of the NIST standards developed for FISMA is limited to the mandates provided by the US legislation. ISO 27001 on the other hand is an international Standard that is relevant globally and is often used by organizations with an international presence.
It may be appropriate for organizations with an international footprint to consider conformance to both frameworks. This is true for multinationals such as Google, Microsoft, and Salesforce, who are compliant with both.
ISO 27001 is the internationally recognized best-practice Standard that lays out the requirements of an Information Security Management System (ISMS). The latest version of the Standard, ISO 27001:2013, is simple to follow and has been developed with business in mind.
It presents a comprehensive and logical approach to developing, implementing, and managing an ISMS and provides associated guidance for conducting risk assessments and applying the necessary risk treatments. In addition, ISO 27001:2013 has been developed in order to harmonize with other standards, so the process of auditing other ISO standards will be an integrated and smooth process, removing the need for multiple audits.
Purchase your copy of the standard today >>
Further, the additional external validation offered by ISO 27001 registration is likely to improve an organization’s cybersecurity posture while providing a higher level of confidence to customers and stakeholders—essential for securing certain global and government contracts.