Many agencies within the U.S. government are prime targets for cyber security attacks and other breaches that put sensitive data at risk. The federal government knows it has a target on its sensitive information, so Congress has enacted legislation designed to support and strengthen cybersecurity. The Federal Information Security Management Act (FISMA) is a United States federal law that was passed in 2002. FISMA made it a requirement for federal agencies to develop, document, and implement an information security and protection program.
FISMA is one of the most important regulations for federal data security standards and guidelines. It was introduced to reduce the security risk to federal information and data while managing federal spending on information security. To achieve this, FISMA established a set of guidelines and security standards that federal agencies have to meet. The scope of FISMA has since increased to include state agencies administering federal programs like Medicare and Medicaid. FISMA requirements also apply to any private businesses that are involved in a contractual relationship with the government.
FISMA assigns responsibilities to various agencies to ensure the security of data in the federal government. The Act requires program officials, and the head of each agency, to conduct annual reviews of information security programs, with the intent of keeping risks at or below specified acceptable levels in a cost-effective, timely and efficient manner.
Below you will find a simple guide to 9 steps toward compliance with FISMA:
- Categorize the information to be protected.
- Select minimum baseline controls.
- Refine controls using a risk assessment procedure.
- Document the controls in the system security plan.
- Implement security controls in appropriate information systems.
- Assess the effectiveness of the security controls once they have been implemented.
- Determine agency-level risk to the mission or business case.
- Authorize the information system for processing.
- Monitor the security controls on a continuous basis.
Security plans and regular risk assessments are crucial to FISMA compliance. FISMA requires agencies to create a security plan, which is regularly maintained and kept up to date. The plan should cover things like the security controls implemented within the organization, security policies, and a timetable for the introduction of further controls. Risk assessments should be three-tiered to identify security risks at the organizational level, the business process level, and the information system level. FISMA requires program officials and agency heads to conduct annual security reviews to ensure risks are kept to a minimum level. Agencies can achieve FISMA Certification and Accreditation (C&A) through a four-phased process which includes initiation and planning, certification, accreditation, and continuous monitoring. (Source: https://digitalguardian.com)
The Bottom Line: The Bottom Line: Federal agencies are a target for cyber data breaches