FISMA Security Compliance:
“Significant weaknesses in information security policies and practices threaten the confidentiality, integrity, and availability of critical information and information systems used to support the operations, assets, and personnel of most federal agencies. Recently reported incidents at federal agencies have placed sensitive data at risk, including the theft, loss, or improper disclosure of personally identifiable information on millions of Americans, thereby exposing them to loss of privacy and identity theft. Almost all of the major federal agencies had weaknesses in one or more areas of information security controls. In their fiscal year 2006 financial statement audit reports, 21of 24 major agencies indicated that deficient information security controls were either a reportable condition 7 or a material weakness.
Our audits continue to identify similar weaknesses in non-financial systems. Similarly, in their annual reporting under 31 U.S.C. § 3512 (commonly referred to as the Federal Managers’ Financial Integrity Act of 1982), 17 of 24 agencies reported shortcomings in information security, including 7 that considered it a material weakness. IGs have also noted the seriousness of information security, with 21 of 24 including it as a ‘major management challenge.’ An underlying cause for these weaknesses is that agencies have not fully implemented their information security programs… thereby leaving them vulnerable to attack or compromise.” GAO Report to OMB, July 27, 2007
FISMA Minimum Security Requirements
Enacted by the federal government in 2002, the Federal Information Security Management Act (FISMA) recognized the need to define a comprehensive framework for establishing and monitoring security programs for federal agencies.1 Governed by the National Institute of Standards and Technology (NIST), the Act applies to the information and information systems used by federal agencies, and also applies to any organization, such as contractors and industry partners, that possess or use federal information. Thus, FISMA has a wider applicability than previous federal agency security laws.
NIST defines and provides guidance on the mandatory standards for FISMA compliance. For example, NIST released the Federal Information Processing Standards (FIPS) Publication 200 in March 2006, announcing the standard for minimum security requirements for federal information and information systems. These minimum security requirements cover 17 security-related areas for protecting the confidentiality, integrity, and availability of federal information and systems.
The 17 security-related areas include: (i) access control; (ii) awareness and training; (iii) audit and accountability; (iv) certification, accreditation, and security assessments; (v) configuration management; (vi) contingency planning; (vii) identification and authentication; (viii) incident response; (ix) maintenance; (x) media protection; (xi) physical and environmental protection; (xii) planning; (xiii) personnel security; (xiv) risk assessment; (xv) systems and services acquisition; (xvi) system and communications protection; and (xvii) system and information integrity. In complying with these requirements, government agencies must follow NIST Special Publication 800-53 to select appropriate and adequate security controls. Under FISMA regulations, each federal agency must develop, document, and implement an agency-wide information security program which includes:
- Developing a comprehensive security program.
- Ensuring that appropriate officials are assigned security responsibility.
- Periodically reviewing the security controls in their information systems.
- Engaging in annual security reporting to the OMB.
- Providing internal security awareness training.
- Following guidelines issued by NIST for information security controls.
Federal agencies are also required to inventory their IT assets, analyze security incidents, develop processes for reporting and monitoring security incidents, and conduct security awareness training. In short, IT organizations need an effective approach to FISMA compliance that involves establishing an agency-wide, risk-based, and cost-effective information security program.
Securing Federal Information and Systems is an Ongoing Challenge
Key steps to the success of FISMA compliance and proactive information security is based on the agency’s capability to execute the following:
- Risk Assessment — The complying agency must use an approach to risk assessment that considers historical, real-time, and potential vulnerabilities, while enabling rapid action to prevent known and unknown threats from occurring. Risks must be identified based on visibility into the security devices or controls in place, as well as the underlying, internal applications and data that those controls are protecting. The risk-based findings of a formal risk assessment will help identify policies that must be assessed and infrastructures that must be hardened to ensure that known and unknown threats do not occur. If such threat events do occur, quick, decisive action must be taken.
