Federal Information Security Management Act – FISMA Compliance

The Federal Information Security Management Act (FISMA) requires federal agencies to develop, document, and implement an information security program to safeguard their information systems including those provided or managed by another agency, contractor, or another third party.

Information Security Program

The information security program has the objective of ensuring the core information security principles: integrity, confidentiality, authenticity, availability and non-repudiation of information and information systems. The key elements of the program can be summarized as below:

• Assignment of Responsibilities: Appropriate officials should be assigned security responsibilities.
• Periodic Assessments of Risk: The risk and consequent impact on the agency that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems supporting agency’s operations and assets.
• Policies and Procedures: Policies and procedures to reduce risks and ensure that information security is addressed throughout the life cycle of each organizational information system are to be properly documented. Such procedures include procedures for detecting, reporting, and responding to security incidents and procedures to ensure continuity of operations.
• Security Awareness Training: Personnel including contractors are to be trained in regards to information security principles, the security risks related to their job requirements and agency’s policies and procedures.
• Periodic Testing and Evaluation: The effectiveness of information security policies, procedures, practices, and security controls should be tested at least annually.
• A Process for Planning, Implementing, Evaluating, and Documenting Remedial Actions: A process to address any deficiencies in the information security policies, procedures, and practices of the organization should be implemented and documented by the agency.

Standards and Guidelines

The National Institute of Standards and Technology (NIST) created the Special Publication 800-53 – Recommended Security Controls for Federal Information Systems, which is a set of standards and guidelines outlining the security controls that should be put in place in federal information systems. The guidelines apply to all federal information systems other than those systems designated as national security systems. NIST Special Publication 800-59 provides guidance on identifying an information system as a national security system. Failure to comply with the controls in the NIST recommendation may constitute failure to comply with the FISMA requirements for information system protection.

Failure to Compliance

Failing a FISMA inspection can have the following negative consequences:

• Significant administrative sanctions
• Computer breaches
• Unfavorable publicity
• Reduction of IT budget

How ERM can help

ERM can help federal agencies with all the requirements mandated by FISMA:

• Information Security Program Gap Analysis: ERM Gap Analysis can help review the agency information security program and identify the deficiencies and the “gaps” that prevent the agency from achieving compliance
• Information Security Program Implementation: ERM can provide support and guidance for the implementation of the information security program including the following key components:
  • Perform Risk Assessment
  • Develop and/or Review Policies and Procedures
  • Provide Security Awareness Training
  • Test and evaluate security controls
  • Create and document a formal agency-wide remediation program

• Guidance and Support during the Remediation: Provide support and guidance during the remediation phase to achieve compliance