What is FISMA?
FISMA (Federal Information Security Management Act) is a United States federal law enacted in 2002 to protect government information, operations and assets against natural or man-made threats.
The act requires federal agencies to develop, document, and implement an information security program to provide information security for the information and systems that support their operations and assets.
What is the purpose of FISMA?
The purpose of FISMA is to ensure that agencies are taking appropriate steps to secure their systems and protect their data from unauthorized access, use, disclosure, disruption, modification, or destruction.
Who needs to comply with FISMA?
Organizations that store, process, or transmit U.S. government data must comply with FISMA. This includes all federal agencies, as well as any company or organization that contracts with the federal government.
FISMA implementation and compliance
The National was tasked by FISMA to develop information security standards (Federal Information Processing Standards) and guidelines for the minimum requirements of information security systems (published as Special Publications in the 800-series).
NIST has also developed a six-step Risk Management Framework (RMF) to enable agencies to achieve compliance with FISMA:
- Categorize information system
- Select security controls
- Implement security controls
- Assess security controls
- Authorize information system
- Monitor security controls
Each step in the RMF security lifecycle is supported by a Federal Information Processing Standard (FIPS) or Special Publication (SP).
For example, Federal Information Processing Standard Publication 199 (FIPS 199) establishes security categories for information and information systems and supports Step 1 of the RMF.
Compliance with FIPS is mandatory, and agencies must follow NIST guidance.
Annual reporting and auditing
Agencies must undertake an annual independent evaluation to determine the effectiveness of their information security policies, procedures, and practices.
This report must be submitted to the Office of Management and Budget (OMB) annually.
The report is then submitted to Congress, which provides funding to each agency.
Although there are no formal penalties for failing to comply with the law’s requirements, there are several notable disadvantages. All federal agencies are graded annually on their FISMA compliance programs, and FISMA scorecard results are publicly available.
- A low grade reflects poorly on the agency, The reputational damage caused by the resulting negative media coverage can have profound effects.
- IT breaches have occurred due to poor IT security postures becoming common knowledge. Agency officials have had to resign, and CIOs testify before Congress.
- Agencies that fail to comply with FISMA may be subject to increased oversight or see their budgets reduced by the OMB.
As of March 2012 only seven of 24 agencies were more than 90% compliant with FISMA, according to FCW.
ISO 27001 and FISMA
The relevance of the NIST standards developed for FISMA is limited to the mandates provided by the US legislation.
ISO 27001 is an international Standard that is relevant globally and is often used by organizations with a global presence.
It may be appropriate for organizations with an international footprint to consider conformance to both frameworks.
This is true for multinationals such as Google, Microsoft, and Salesforce, which are compliant with both.
ISO 27001 is the internationally recognized best-practice Standard that lays out the requirements of an Information Security Management System (ISMS).
The latest version of the Standard, ISO 27001:2013, is simple to follow and has been developed with business in mind.
It presents a comprehensive and logical approach to developing, implementing, and managing an ISMS. It also provides associated guidance for conducting risk assessments and applying the necessary risk treatments.
In addition, ISO 27001:2013 has been developed to harmonize with other standards, so auditing other ISO standards will be an integrated and smooth process, removing the need for multiple audits.
Purchase your copy of the standard today >>
The additional external validation offered by ISO 27001 registration is likely to improve an organization’s cybersecurity posture while providing a higher level of confidence to customers and stakeholders—essential for securing certain global and government contracts.