fbpx
Wikipedia

Federal Information Security Management Act of 2002

November 15, 2023

The Federal Information Security Management Act of 2002 (FISMA, 44 U.S.C. § 3541, et seq.) is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002 (Pub. L.Tooltip Public Law (United States) 107–347 (text) (PDF), 116 Stat. 2899). The act recognized the importance of information security to the economic and national security interests of the United States.[1] The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.[1]

Federal Information Security Management Act of 2002
Long titleAn Act to strengthen Federal Government information security, including through the requirement for the development of mandatory information security risk management standards.
Acronyms (colloquial)FISMA
NicknamesE-Government Act of 2002
Enacted bythe 107th United States Congress
EffectiveDecember 17, 2002
Citations
Public law107-347
Statutes at Large116 Stat. 2899 aka 116 Stat. 2946
Codification
Titles amended
U.S.C. sections created44 U.S.C. ch. 35, subch. III § 3541 et seq.
U.S.C. sections amended
Legislative history
  • Introduced in the House as H.R. 3844 by Thomas M. Davis (RVA) on March 5, 2002
  • Committee consideration by House Government Reform, House Science
  • Passed the House on November 15, 2002 (passed without objection)
  • Passed the Senate on November 15, 2002 (passed unanimous consent)
  • Signed into law by President George W. Bush on December 17, 2002
Major amendments
Replaced by the Federal Information Security Modernization Act of 2014

FISMA has brought attention within the federal government to cybersecurity and explicitly emphasized a "risk-based policy for cost-effective security."[1] FISMA requires agency program officials, chief information officers, and inspectors general (IGs) to conduct annual reviews of the agency's information security program and report the results to Office of Management and Budget (OMB). OMB uses this data to assist in its oversight responsibilities and to prepare this annual report to Congress on agency compliance with the act.[2] In FY 2008, federal agencies spent $6.2 billion securing the government's total information technology investment of approximately $68 billion or about 9.2 percent of the total information technology portfolio.[3] This law has been amended by the Federal Information Security Modernization Act of 2014 (Pub. L.Tooltip Public Law (United States) 113–283 (text) (PDF)), sometimes known as FISMA2014 or FISMA Reform. FISMA2014 struck subchapters II and III of chapter 35 of title 44, United States Code, amending it with the text of the new law in a new subchapter II (44 U.S.C. § 3551).

Purpose of the act edit

FISMA assigns specific responsibilities to federal agencies, the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) in order to strengthen information security systems. In particular, FISMA requires the head of each agency to implement policies and procedures to cost-effectively reduce information technology security risks to an acceptable level.[2]

According to FISMA, the term information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.

Implementation of FISMA edit

In accordance with FISMA, NIST is responsible for developing standards, guidelines, and associated methods and techniques for providing adequate information security for all agency operations and assets, excluding national security systems. NIST works closely with federal agencies to improve their understanding and implementation of FISMA to protect their information and information systems and publishes standards and guidelines which provide the foundation for strong information security programs at agencies. NIST performs its statutory responsibilities through the Computer Security Division of the Information Technology Laboratory.[4] NIST develops standards, metrics, tests, and validation programs to promote, measure, and validate the security in information systems and services. NIST hosts the following:

Compliance framework defined by FISMA and supporting standards edit

FISMA defines a framework for managing information security that must be followed for all information systems used or operated by a U.S. federal government agency in the executive or legislative branches, or by a contractor or other organization on behalf of a federal agency in those branches. This framework is further defined by the standards and guidelines developed by NIST.[6]

Inventory of information systems edit

FISMA requires that agencies have an information systems inventory in place. According to FISMA, the head of each agency shall develop and maintain an inventory of major information systems (including major national security systems) operated by or under the control of such agency[6] The identification of information systems in an inventory under this subsection shall include an identification of the interfaces between each such system and all other systems or networks, including those not operated by or under the control of the agency.[6] The first step is to determine what constitutes the "information system" in question. There is not a direct mapping of computers to an information system; rather, an information system may be a collection of individual computers put to a common purpose and managed by the same system owner. NIST SP 800-18, Revision 1, Guide for Developing Security Plans for Federal Information Systems[7] provides guidance on determining system boundaries.

Categorize information and information systems according to risk level edit

All information and information systems should be categorized based on the objectives of providing appropriate levels of information security according to a range of risk levels[6] The first mandatory security standard required by the FISMA legislation, FIPS 199 "Standards for Security Categorization of Federal Information and Information Systems"[8] provides the definitions of security categories. The guidelines are provided by NIST SP 800-60 "Guide for Mapping Types of Information and Information Systems to Security Categories."[9]

The overall FIPS 199 system categorization is the "high water mark" for the impact rating of any of the criteria for information types resident in a system. For example, if one information type in the system has a rating of "Low" for "confidentiality," "integrity," and "availability," and another type has a rating of "Low" for "confidentiality" and "availability" but a rating of "Moderate" for "integrity," then the impact level for "integrity" also becomes "Moderate".

Security controls edit

Federal information systems must meet the minimum security requirements.[6] These requirements are defined in the second mandatory security standard required by the FISMA legislation, FIPS 200 "Minimum Security Requirements for Federal Information and Information Systems".[8] Organizations must meet the minimum security requirements by selecting the appropriate security controls and assurance requirements as described in NIST Special Publication 800-53, "Recommended Security Controls for Federal Information Systems". The process of selecting the appropriate security controls and assurance requirements for organizational information systems to achieve adequate security is a multifaceted, risk-based activity involving management and operational personnel within the organization. Agencies have flexibility in applying the baseline security controls in accordance with the tailoring guidance provided in Special Publication 800-53. This allows agencies to adjust the security controls to more closely fit their mission requirements and operational environments. The controls selected or planned must be documented in the System Security Plan.

Risk assessment edit

The combination of FIPS 200 and NIST Special Publication 800-53 requires a foundational level of security for all federal information and information systems. The agency's risk assessment validates the security control set and determines if any additional controls are needed to protect agency operations (including mission, functions, image, or reputation), agency assets, individuals, other organizations, or the Nation. The resulting set of security controls establishes a level of "security due diligence" for the federal agency and its contractors.[10] A risk assessment starts by identifying potential threats and vulnerabilities and mapping implemented controls to individual vulnerabilities. One then determines risk by calculating the likelihood and impact that any given vulnerability could be exploited, taking into account existing controls. The culmination of the risk assessment shows the calculated risk for all vulnerabilities and describes whether the risk should be accepted or mitigated. If mitigated by the implementation of a control, one needs to describe what additional Security Controls will be added to the system.

NIST also initiated the Information Security Automation Program (ISAP) and Security Content Automation Protocol (SCAP) that support and complement the approach for achieving consistent, cost-effective security control assessments.

System security plan edit

Agencies should develop policy on the system security planning process.[6] NIST SP-800-18 introduces the concept of a System Security Plan.[7] System security plans are living documents that require periodic review, modification, and plans of action and milestones for implementing security controls. Procedures should be in place outlining who reviews the plans, keeps the plan current, and follows up on planned security controls.[7]

The System security plan is the major input to the security certification and accreditation process for the system. During the security certification and accreditation process, the system security plan is analyzed, updated, and accepted. The certification agent confirms that the security controls described in the system security plan are consistent with the FIPS 199 security category determined for the information system, and that the threat and vulnerability identification and initial risk determination are identified and documented in the system security plan, risk assessment, or equivalent document.[7]

Certification and accreditation edit

Once the system documentation and risk assessment has been completed, the system's controls must be reviewed and certified to be functioning appropriately. Based on the results of the review, the information system is accredited. The certification and accreditation process is defined in NIST SP 800-37 "Guide for the Security Certification and Accreditation of Federal Information Systems".[11] Security accreditation is the official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations, agency assets, or individuals based on the implementation of an agreed-upon set of security controls. Required by OMB Circular A-130, Appendix III, security accreditation provides a form of quality control and challenges managers and technical staffs at all levels to implement the most effective security controls possible in an information system, given mission requirements, technical constraints, operational constraints, and cost/schedule constraints. By accrediting an information system, an agency official accepts responsibility for the security of the system and is fully accountable for any adverse impacts to the agency if a breach of security occurs. Thus, responsibility and accountability are core principles that characterize security accreditation. It is essential that agency officials have the most complete, accurate, and trustworthy information possible on the security status of their information systems in order to make timely, credible, risk-based decisions on whether to authorize operation of those systems.[11]

The information and supporting evidence needed for security accreditation is developed during a detailed security review of an information system, typically referred to as security certification. Security certification is a comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. The results of a security certification are used to reassess the risks and update the system security plan, thus providing the factual basis for an authorizing official to render a security accreditation decision.[11]

Continuous monitoring edit

All accredited systems are required to monitor a selected set of security controls and the system documentation is updated to reflect changes and modifications to the system. Large changes to the security profile of the system should trigger an updated risk assessment, and controls that are significantly modified may need to be re-certified.

Continuous monitoring activities include configuration management and control of information system components, security impact analyses of changes to the system, ongoing assessment of security controls, and status reporting. The organization establishes the selection criteria and subsequently selects a subset of the security controls employed within the information system for assessment. The organization also establishes the schedule for control monitoring to ensure adequate coverage is achieved.

Critique edit

Security experts Bruce Brody, a former federal chief information security officer, and Alan Paller, director of research for the SANS Institute, have described FISMA as "a well-intentioned but fundamentally flawed tool", arguing that the compliance and reporting methodology mandated by FISMA measures security planning rather than measuring information security.[12] Past GAO chief technology officer Keith Rhodes said that FISMA can and has helped government system security but that implementation is everything, and if security people view FISMA as just a checklist, nothing is going to get done.[13]

See also edit

References edit

  1. ^ a b c d "NIST: FISMA Overview". Csrc.nist.gov. Retrieved April 27, 2012.
  2. ^ a b FY 2005 Report to Congress on Implementation of The Federal Information Security Management Act of 2002
  3. ^ FY 2008 Report to Congress on Implementation of The Federal Information
  4. ^ "NIST Computer Security Division 2008 report". Csrc.nist.gov. Retrieved April 27, 2012.
  5. ^ "National Vulnerability Database". Nvd.nist.gov. Retrieved April 27, 2012.
  6. ^ a b c d e f The 2002 Federal Information Security Management Act (FISMA)
  7. ^ a b c d NIST SP 800-18, Revision 1, "Guide for Developing Security Plans for Federal Information Systems"
  8. ^ a b "Catalog of FIPS publications". Csrc.nist.gov. Retrieved April 27, 2012.
  9. ^ "Catalog of NIST SP-800 publications". Csrc.nist.gov. Retrieved April 27, 2012.
  10. ^ NIST SP 800-53A "Guide for Assessing the Security Controls in Federal Information Systems"
  11. ^ a b c NIST SP 800-37 "Guide for Applying the Risk Management Framework to Federal Information Systems
  12. ^ "Government Computer News, FISMA efficiency questioned, 2007". Gcn.com. March 18, 2007. Retrieved April 27, 2012.
  13. ^ "Government Computer News, Effective IT security starts with risk analysis, former GAO CTO says". Gcn.com. June 10, 2009. Retrieved April 27, 2012.

External links edit

  • NIST Special Publications Library
  • NIST FISMA Implementation Project Home Page
  • Full text of FISMA
  • OMB Memoranda
  • Report on 2004 FISMA scores
  • FISMApedia project
  • FISMA Resources

November 15, 2023
federal, information, security, management, 2002, fisma, 3541, united, states, federal, enacted, 2002, title, government, 2002, tooltip, public, united, states, text, stat, 2899, recognized, importance, information, security, economic, national, security, inte. The Federal Information Security Management Act of 2002 FISMA 44 U S C 3541 et seq is a United States federal law enacted in 2002 as Title III of the E Government Act of 2002 Pub L Tooltip Public Law United States 107 347 text PDF 116 Stat 2899 The act recognized the importance of information security to the economic and national security interests of the United States 1 The act requires each federal agency to develop document and implement an agency wide program to provide information security for the information and information systems that support the operations and assets of the agency including those provided or managed by another agency contractor or other source 1 Federal Information Security Management Act of 2002Long titleAn Act to strengthen Federal Government information security including through the requirement for the development of mandatory information security risk management standards Acronyms colloquial FISMANicknamesE Government Act of 2002Enacted bythe 107th United States CongressEffectiveDecember 17 2002CitationsPublic law107 347Statutes at Large116 Stat 2899 aka 116 Stat 2946CodificationTitles amended40 U S C Public Buildings Property And Works44 U S C Public Printing and DocumentsU S C sections created44 U S C ch 35 subch III 3541 et seq U S C sections amended40 U S C ch 113 subch III 1133140 U S C ch 113 subch III 1133244 U S C ch 1 10144 U S C ch 35 subch I 3501 et seq Legislative historyIntroduced in the House as H R 3844 by Thomas M Davis R VA on March 5 2002Committee consideration by House Government Reform House SciencePassed the House on November 15 2002 passed without objection Passed the Senate on November 15 2002 passed unanimous consent Signed into law by President George W Bush on December 17 2002Major amendmentsReplaced by the Federal Information Security Modernization Act of 2014FISMA has brought attention within the federal government to cybersecurity and explicitly emphasized a risk based policy for cost effective security 1 FISMA requires agency program officials chief information officers and inspectors general IGs to conduct annual reviews of the agency s information security program and report the results to Office of Management and Budget OMB OMB uses this data to assist in its oversight responsibilities and to prepare this annual report to Congress on agency compliance with the act 2 In FY 2008 federal agencies spent 6 2 billion securing the government s total information technology investment of approximately 68 billion or about 9 2 percent of the total information technology portfolio 3 This law has been amended by the Federal Information Security Modernization Act of 2014 Pub L Tooltip Public Law United States 113 283 text PDF sometimes known as FISMA2014 or FISMA Reform FISMA2014 struck subchapters II and III of chapter 35 of title 44 United States Code amending it with the text of the new law in a new subchapter II 44 U S C 3551 Contents 1 Purpose of the act 2 Implementation of FISMA 3 Compliance framework defined by FISMA and supporting standards 3 1 Inventory of information systems 3 2 Categorize information and information systems according to risk level 3 3 Security controls 3 4 Risk assessment 3 5 System security plan 3 6 Certification and accreditation 3 7 Continuous monitoring 4 Critique 5 See also 6 References 7 External linksPurpose of the act editFISMA assigns specific responsibilities to federal agencies the National Institute of Standards and Technology NIST and the Office of Management and Budget OMB in order to strengthen information security systems In particular FISMA requires the head of each agency to implement policies and procedures to cost effectively reduce information technology security risks to an acceptable level 2 According to FISMA the term information security means protecting information and information systems from unauthorized access use disclosure disruption modification or destruction in order to provide integrity confidentiality and availability Implementation of FISMA editIn accordance with FISMA NIST is responsible for developing standards guidelines and associated methods and techniques for providing adequate information security for all agency operations and assets excluding national security systems NIST works closely with federal agencies to improve their understanding and implementation of FISMA to protect their information and information systems and publishes standards and guidelines which provide the foundation for strong information security programs at agencies NIST performs its statutory responsibilities through the Computer Security Division of the Information Technology Laboratory 4 NIST develops standards metrics tests and validation programs to promote measure and validate the security in information systems and services NIST hosts the following FISMA implementation project 1 Information Security Automation Program ISAP National Vulnerability Database NVD the U S government content repository for ISAP and Security Content Automation Protocol SCAP NVD is the U S government repository of standards based vulnerability management data This data enables automation of vulnerability management security measurement and compliance e g FISMA 5 Compliance framework defined by FISMA and supporting standards editFISMA defines a framework for managing information security that must be followed for all information systems used or operated by a U S federal government agency in the executive or legislative branches or by a contractor or other organization on behalf of a federal agency in those branches This framework is further defined by the standards and guidelines developed by NIST 6 Inventory of information systems edit FISMA requires that agencies have an information systems inventory in place According to FISMA the head of each agency shall develop and maintain an inventory of major information systems including major national security systems operated by or under the control of such agency 6 The identification of information systems in an inventory under this subsection shall include an identification of the interfaces between each such system and all other systems or networks including those not operated by or under the control of the agency 6 The first step is to determine what constitutes the information system in question There is not a direct mapping of computers to an information system rather an information system may be a collection of individual computers put to a common purpose and managed by the same system owner NIST SP 800 18 Revision 1 Guide for Developing Security Plans for Federal Information Systems 7 provides guidance on determining system boundaries Categorize information and information systems according to risk level edit All information and information systems should be categorized based on the objectives of providing appropriate levels of information security according to a range of risk levels 6 The first mandatory security standard required by the FISMA legislation FIPS 199 Standards for Security Categorization of Federal Information and Information Systems 8 provides the definitions of security categories The guidelines are provided by NIST SP 800 60 Guide for Mapping Types of Information and Information Systems to Security Categories 9 The overall FIPS 199 system categorization is the high water mark for the impact rating of any of the criteria for information types resident in a system For example if one information type in the system has a rating of Low for confidentiality integrity and availability and another type has a rating of Low for confidentiality and availability but a rating of Moderate for integrity then the impact level for integrity also becomes Moderate Security controls edit Federal information systems must meet the minimum security requirements 6 These requirements are defined in the second mandatory security standard required by the FISMA legislation FIPS 200 Minimum Security Requirements for Federal Information and Information Systems 8 Organizations must meet the minimum security requirements by selecting the appropriate security controls and assurance requirements as described in NIST Special Publication 800 53 Recommended Security Controls for Federal Information Systems The process of selecting the appropriate security controls and assurance requirements for organizational information systems to achieve adequate security is a multifaceted risk based activity involving management and operational personnel within the organization Agencies have flexibility in applying the baseline security controls in accordance with the tailoring guidance provided in Special Publication 800 53 This allows agencies to adjust the security controls to more closely fit their mission requirements and operational environments The controls selected or planned must be documented in the System Security Plan Risk assessment edit The combination of FIPS 200 and NIST Special Publication 800 53 requires a foundational level of security for all federal information and information systems The agency s risk assessment validates the security control set and determines if any additional controls are needed to protect agency operations including mission functions image or reputation agency assets individuals other organizations or the Nation The resulting set of security controls establishes a level of security due diligence for the federal agency and its contractors 10 A risk assessment starts by identifying potential threats and vulnerabilities and mapping implemented controls to individual vulnerabilities One then determines risk by calculating the likelihood and impact that any given vulnerability could be exploited taking into account existing controls The culmination of the risk assessment shows the calculated risk for all vulnerabilities and describes whether the risk should be accepted or mitigated If mitigated by the implementation of a control one needs to describe what additional Security Controls will be added to the system NIST also initiated the Information Security Automation Program ISAP and Security Content Automation Protocol SCAP that support and complement the approach for achieving consistent cost effective security control assessments System security plan edit Agencies should develop policy on the system security planning process 6 NIST SP 800 18 introduces the concept of a System Security Plan 7 System security plans are living documents that require periodic review modification and plans of action and milestones for implementing security controls Procedures should be in place outlining who reviews the plans keeps the plan current and follows up on planned security controls 7 The System security plan is the major input to the security certification and accreditation process for the system During the security certification and accreditation process the system security plan is analyzed updated and accepted The certification agent confirms that the security controls described in the system security plan are consistent with the FIPS 199 security category determined for the information system and that the threat and vulnerability identification and initial risk determination are identified and documented in the system security plan risk assessment or equivalent document 7 Certification and accreditation edit Once the system documentation and risk assessment has been completed the system s controls must be reviewed and certified to be functioning appropriately Based on the results of the review the information system is accredited The certification and accreditation process is defined in NIST SP 800 37 Guide for the Security Certification and Accreditation of Federal Information Systems 11 Security accreditation is the official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations agency assets or individuals based on the implementation of an agreed upon set of security controls Required by OMB Circular A 130 Appendix III security accreditation provides a form of quality control and challenges managers and technical staffs at all levels to implement the most effective security controls possible in an information system given mission requirements technical constraints operational constraints and cost schedule constraints By accrediting an information system an agency official accepts responsibility for the security of the system and is fully accountable for any adverse impacts to the agency if a breach of security occurs Thus responsibility and accountability are core principles that characterize security accreditation It is essential that agency officials have the most complete accurate and trustworthy information possible on the security status of their information systems in order to make timely credible risk based decisions on whether to authorize operation of those systems 11 The information and supporting evidence needed for security accreditation is developed during a detailed security review of an information system typically referred to as security certification Security certification is a comprehensive assessment of the management operational and technical security controls in an information system made in support of security accreditation to determine the extent to which the controls are implemented correctly operating as intended and producing the desired outcome with respect to meeting the security requirements for the system The results of a security certification are used to reassess the risks and update the system security plan thus providing the factual basis for an authorizing official to render a security accreditation decision 11 Continuous monitoring edit All accredited systems are required to monitor a selected set of security controls and the system documentation is updated to reflect changes and modifications to the system Large changes to the security profile of the system should trigger an updated risk assessment and controls that are significantly modified may need to be re certified Continuous monitoring activities include configuration management and control of information system components security impact analyses of changes to the system ongoing assessment of security controls and status reporting The organization establishes the selection criteria and subsequently selects a subset of the security controls employed within the information system for assessment The organization also establishes the schedule for control monitoring to ensure adequate coverage is achieved Critique editSecurity experts Bruce Brody a former federal chief information security officer and Alan Paller director of research for the SANS Institute have described FISMA as a well intentioned but fundamentally flawed tool arguing that the compliance and reporting methodology mandated by FISMA measures security planning rather than measuring information security 12 Past GAO chief technology officer Keith Rhodes said that FISMA can and has helped government system security but that implementation is everything and if security people view FISMA as just a checklist nothing is going to get done 13 See also editAttack computing Committee on National Security Systems Computer security Cybersecurity Cyberwarfare Department of Defense Information Assurance Certification and Accreditation Process Federal Desktop Core Configuration NIST security standards for Windows workstations Information assurance Information security Information security management system IT risk OMB Circular A 130 Security Content Automation Protocol automated testing for security compliance Threat computer Vulnerability computing References edit a b c d NIST FISMA Overview Csrc nist gov Retrieved April 27 2012 a b FY 2005 Report to Congress on Implementation of The Federal Information Security Management Act of 2002 FY 2008 Report to Congress on Implementation of The Federal Information NIST Computer Security Division 2008 report Csrc nist gov Retrieved April 27 2012 National Vulnerability Database Nvd nist gov Retrieved April 27 2012 a b c d e f The 2002 Federal Information Security Management Act FISMA a b c d NIST SP 800 18 Revision 1 Guide for Developing Security Plans for Federal Information Systems a b Catalog of FIPS publications Csrc nist gov Retrieved April 27 2012 Catalog of NIST SP 800 publications Csrc nist gov Retrieved April 27 2012 NIST SP 800 53A Guide for Assessing the Security Controls in Federal Information Systems a b c NIST SP 800 37 Guide for Applying the Risk Management Framework to Federal Information Systems Government Computer News FISMA efficiency questioned 2007 Gcn com March 18 2007 Retrieved April 27 2012 Government Computer News Effective IT security starts with risk analysis former GAO CTO says Gcn com June 10 2009 Retrieved April 27 2012 External links editNIST Special Publications Library NIST FISMA Implementation Project Home Page Full text of FISMA OMB Memoranda Report on 2004 FISMA scores FISMApedia project FISMA Resources Rsam Automated Platform for FISMA Compliance and Continuous Monitoring Retrieved from https en wikipedia org w index php title Federal Information Security Management Act of 2002 amp oldid 1183147769, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.