Certification & Compliance in a Nutshell: What is FISMA?

Our series of articles on certification and compliance not only demonstrates how many different types of industries are impacted by regulations but the breadth of implications for their IT departments and service providers. Healthcare firms concern themselves with HIPAA (Health Insurance Portability and Accountability Act of 1996), publicly traded companies must abide by SOX (Sarbanes-Oxley Act of 2002), and federal agencies must comply with FISMA (below). Meanwhile, hosting services and other tech providers are wise to prove their compliance with these laws to reduce liability for their customers.

This article, the seventh and final installment in our series, looks at the Federal Information Security Management Act of 2002 (FISMA):

  • What is FISMA?
  • Background of the Law
  • Purpose of the Law
  • Development of Guidelines
  • Nine-Point Compliance To-Do List

What is FISMA?

FISMA is the commonly used acronym for the Federal Information Security Management Act (FISMA). It is a series of laws passed by the US Congress that establish a full-scale construct to safeguard federal data, processes, and possessions against natural disasters and terrorism, as explained by Margaret Rouse of TechTarget. FISMA is part of a larger act, the Electronic Government Act of 2002.

FISMA describes the duties that must be carried out by a number of agencies so that federal information is protected. As Rouse describes it, “The act requires program officials, and the head of each agency, to conduct annual reviews of information security programs, with the intent of keeping risks at or below specified acceptable levels in a cost-effective, timely and efficient manner.”

Background of the Law

FISMA, also known as the Confidential Information Protection and Statistical Efficiency Act of 2002 and nicknamed the E-Government Act of 2002, is officially described as “An Act to strengthen Federal Government information security, including through the requirement for the development of mandatory information security risk management standards.” It passed both the House and Senate on November 15, 2002. Just over a month later, on December 17, the act became effective when George W. Bush signed it into law.

A well-researched article on Wikipedia describes the purpose of the law and the NIST’s development of guidelines:

Purpose of the Law

FISMA directs all agencies of the federal government to perform certain duties, as well as outlining specific tasks required of the Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST). The overarching goal is to make the federal government’s systems more consistently secure. The act also necessitates that the leader of each branch develop specific guidelines and processes to affordably minimize the chance of compromise, corruption, or destruction.

FISMA describes data security as safeguarding both the IT infrastructure and individual records from theft, alteration, or deletion by cybercriminals, so that systems are sound, sensitive data is respected, and the government’s connected web is highly reliable.

Development of Guidelines

The NIST, a nonregulatory agency that establishes measurement standards, is instructed by the law to create and continually update standards and stipulations, along with the strategies and tactics that can establish sufficient protections for all federal processes and belongings, except for the infrastructure of national defense and intelligence. NIST operates collaboratively with the branches of the government to strengthen their knowledge and tools related to FISMA so that their data and networks are secure.

The Institute also writes and distributes standards and parameters that are offered as a basis for any agency to refine its security stance. NIST conducts its FISMA duties through its computer security division at the Information Technology Laboratory. As the Wikipedia report explains, “NIST develops standards, metrics, tests, and validation programs to promote, measure, and validate the security in information systems and services.”

Nine-Point Compliance To-Fo List

The NIST describes a nine-point to-do list to guarantee a FISMA-compliant system:

  1. Demarcate the specific information that you need to safeguard.
  2. Identify what the must-have security controls will be.
  3. Improve and adapt the controls through a vulnerability assessment.
  4. Make sure that all of your controls are in writing.
  5. Deploy the controls in a test environment.
  6. Determine whether or not the controls are sufficient with testing.
  7. Figure out the amount and types of risk that still exist with the controls, and make sure those risks are acceptable given the particular system.
  8. Confirm that the system can go live.
  9. Track the system to verify that the controls are working properly.

Bonus To-Do Item

The above list of items is stated so simply, but we all know that day-to-day security compliance can be extraordinarily complex. Add one more item to your to-do list: partner with an expert.

FISMA compliance is just one way that we prove our security, credibility, and reliability to our customers. Our spectrum of certification and compliance controls includes SSAE 16, ISO 9001:2008, ISO 27001:2013, ITIL, HIPAA, FISMA, and Sarbanes-Oxley.

By Kent Roberts