Federal Information Security Management Act of 2002
Encyclopedia
The Federal Information Security Management Act of 2002 ("FISMA", , et seq.) is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002
. The act recognized the importance of information security
to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security
for the information and information systems
that support the operations and assets of the agency, including those provided or managed by another agency, contractor
, or other source.
FISMA has brought attention within the federal government to cybersecurity and explicitly emphasized a "risk-based policy for cost-effective security." FISMA requires agency program officials, chief information officers, and inspectors general (IGs) to conduct annual reviews of the agency’s information security program and report the results to Office of Management and Budget (OMB). OMB uses this data to assist in its oversight responsibilities and to prepare this annual report to Congress on agency compliance with the act. In FY 2008, federal agencies spent $6.2 billion securing the government’s total information technology investment of approximately $68 billion or about 9.2 percent of the total information technology portfolio.
(NIST) and the Office of Management and Budget (OMB) in order to strengthen information system security. In particular, FISMA requires the head of each agency to implement policies and procedures to cost-effectively reduce information technology security risks to an acceptable level.
According to FISMA, the term information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.
is responsible for developing standards, guidelines, and associated methods and techniques for providing adequate information security for all agency operations and assets, excluding national security systems. NIST works closely with federal agencies to improve their understanding and implementation of FISMA to protect their information and information systems and publishes standards and guidelines which provide the foundation for strong information security programs at agencies. NIST performs its statutory responsibilities through the Computer Security Division of the Information Technology Laboratory. NIST develops standards, metrics, tests, and validation programs to promote, measure, and validate the security in information systems and services. NIST hosts the following:
s used or operated by a U.S. federal government agency or by a contractor or other organization on behalf of a federal agency. This framework is further defined by the standards and guidelines developed by NIST
.
According to FISMA, the head of each agency shall develop and maintain an inventory of major information systems (including major national security systems) operated by or under the control of such agency
The identification of information systems in an inventory under this subsection shall include an identification of the interfaces between each such system and all other systems or networks, including those not operated by or under the control of the agency. The first step is to determine what constitutes the "information system
" in question. There is not a direct mapping of computers to information system; rather, an information system may be a collection of individual computers put to a common purpose and managed by the same system owner. NIST SP 800-18, Revision 1, Guide for Developing Security Plans for Federal Information Systems provides guidance on determining system
boundaries.
The first mandatory security standard required by the FISMA legislation, namely FIPS PUB 199 "Standards for Security Categorization of Federal Information and Information Systems" provides the definitions of security categories. The guidelines are provided by NIST SP 800-60 "Guide for Mapping Types of Information and Information Systems to Security Categories."
The overall FIPS PUB 199 system categorization is the "high water mark" for the impact rating of any of the criteria for information types resident in a system. For example, if one information type in the system has a rating of "Low" for "confidentiality," "integrity," and "availability," and another type has a rating of "Low" for "confidentiality" and "availability" but a rating of "Moderate" for "integrity," then the entire system has a FIPS PUB 199 categorization of "Moderate."
Organizations must meet the minimum security requirements by selecting the appropriate security controls and assurance requirements as described in NIST Special Publication 800-53, "Recommended Security Controls for Federal Information Systems". The process of selecting the appropriate security controls and assurance requirements for organizational information systems to achieve adequate security is a multifaceted, risk-based activity involving management and operational personnel within the organization.
Agencies have flexibility in applying the baseline security controls in accordance with the tailoring guidance provided in Special Publication 800-53. This allows agencies to adjust the security controls to more closely fit their mission requirements and operational environments.
The controls selected or planned must be documented in the System Security Plan.
A risk assessment starts by identifying potential threats
and vulnerabilities
and mapping implemented controls to individual vulnerabilities. One then determines risk by calculating the likelihood and impact that any given vulnerability could be exploited, taking into account existing controls. The culmination of the risk assessment shows the calculated risk for all vulnerabilities and describes whether the risk should be accepted or mitigated. If mitigated by the implementation of a control, one needs to describe what additional Security Controls will be added to the system.
NIST also initiated the Information Security Automation Program (ISAP) and Security Content Automation Protocol
(SCAP) that support and complement the approach for achieving consistent, cost-effective security control assessments.
The System security plan is the major input to the security certification and accreditation process for the system. During the security certification and accreditation process, the system security plan is analyzed, updated, and accepted. The certification agent confirms that the security controls described in the system security plan are consistent with the FIPS 199 security category determined for the information system, and that the threat and vulnerability identification and initial risk determination are identified and documented in the system security plan, risk assessment, or equivalent document.
Security accreditation is the official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations, agency assets, or individuals based on the implementation of an agreed-upon set of security controls. Required by OMB Circular A-130
, Appendix III, security accreditation provides a form of quality control and challenges managers and technical staffs at all levels to implement the most effective security controls possible in an information system, given mission requirements, technical constraints, operational constraints, and cost/schedule constraints. By accrediting an information system, an agency official accepts responsibility for the security of the system and is fully accountable for any adverse impacts to the agency if a breach of security occurs. Thus, responsibility and accountability are core principles that characterize security accreditation. It is essential that agency officials have the most complete, accurate, and trustworthy information possible on the security status of their information systems in order to make timely, credible, risk-based decisions on whether to authorize operation of those systems.
The information and supporting evidence needed for security accreditation is developed during a detailed security review of an information system, typically referred to as security certification. Security certification is a comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. The results of a security certification are used to reassess the risks and update the system security plan, thus providing the factual basis for an authorizing official to render a security accreditation decision.
Continuous monitoring activities include configuration management and control of information system components, security impact analyses of changes to the system, ongoing assessment of security controls, and status reporting. The organization establishes the selection criteria and subsequently selects a subset of the security controls employed within the information system for assessment. The organization also establishes the schedule for control monitoring to ensure adequate coverage is achieved.
– have described FISMA as a well-intentioned but fundamentally flawed tool, and argued that the compliance and reporting methodology mandated by FISMA measures security planning rather than measuring information security. Past federal chief technology officer Keith Rhodes said that FISMA can and has helped government system security but that implementation is everything, and if security people view FISMA as just a checklist, nothing is going to get done.
E-Government Act of 2002
The E-Government Act of 2002 , is a United States statute enacted on December 17, 2002, with an effective date for most provisions of April 17, 2003...
. The act recognized the importance of information security
Information security
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security
Information security
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
for the information and information systems
Information systems
Information Systems is an academic/professional discipline bridging the business field and the well-defined computer science field that is evolving toward a new scientific area of study...
that support the operations and assets of the agency, including those provided or managed by another agency, contractor
Government contractor
A government contractor is a private company that produces goods or services under contract for the government. Often the terms of the contract specify cost plus – i.e., the contractor gets paid for its costs, plus a specified profit margin. Laws often require governments to award contracts...
, or other source.
FISMA has brought attention within the federal government to cybersecurity and explicitly emphasized a "risk-based policy for cost-effective security." FISMA requires agency program officials, chief information officers, and inspectors general (IGs) to conduct annual reviews of the agency’s information security program and report the results to Office of Management and Budget (OMB). OMB uses this data to assist in its oversight responsibilities and to prepare this annual report to Congress on agency compliance with the act. In FY 2008, federal agencies spent $6.2 billion securing the government’s total information technology investment of approximately $68 billion or about 9.2 percent of the total information technology portfolio.
Purpose of the act
FISMA assigns specific responsibilities to federal agencies, the National Institute of Standards and TechnologyNational Institute of Standards and Technology
The National Institute of Standards and Technology , known between 1901 and 1988 as the National Bureau of Standards , is a measurement standards laboratory, otherwise known as a National Metrological Institute , which is a non-regulatory agency of the United States Department of Commerce...
(NIST) and the Office of Management and Budget (OMB) in order to strengthen information system security. In particular, FISMA requires the head of each agency to implement policies and procedures to cost-effectively reduce information technology security risks to an acceptable level.
According to FISMA, the term information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.
Implementation of FISMA
In accordance with FISMA, NISTNational Institute of Standards and Technology
The National Institute of Standards and Technology , known between 1901 and 1988 as the National Bureau of Standards , is a measurement standards laboratory, otherwise known as a National Metrological Institute , which is a non-regulatory agency of the United States Department of Commerce...
is responsible for developing standards, guidelines, and associated methods and techniques for providing adequate information security for all agency operations and assets, excluding national security systems. NIST works closely with federal agencies to improve their understanding and implementation of FISMA to protect their information and information systems and publishes standards and guidelines which provide the foundation for strong information security programs at agencies. NIST performs its statutory responsibilities through the Computer Security Division of the Information Technology Laboratory. NIST develops standards, metrics, tests, and validation programs to promote, measure, and validate the security in information systems and services. NIST hosts the following:
- FISMA implementation project
- Information Security Automation ProgramInformation Security Automation ProgramThe Information Security Automation Program is a U.S. government multi-agency initiative to enable automation and standardization of technical security operations. While a U.S. government initiative, its standards based design can benefit all information technology security operations...
(ISAP) - National Vulnerability DatabaseNational Vulnerability DatabaseThe National Vulnerability Database is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol . This data enables automation of vulnerability management, security measurement, and compliance...
(NVD) – the U.S. government content repository for ISAP and SCAP. NVD is the U.S. government repository of standards based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance (e.g., FISMA)
Compliance framework defined by FISMA and supporting standards
FISMA defines a framework for managing information security that must be followed for all information systemInformation system
An information system - or application landscape - is any combination of information technology and people's activities that support operations, management, and decision making. In a very broad sense, the term information system is frequently used to refer to the interaction between people,...
s used or operated by a U.S. federal government agency or by a contractor or other organization on behalf of a federal agency. This framework is further defined by the standards and guidelines developed by NIST
National Institute of Standards and Technology
The National Institute of Standards and Technology , known between 1901 and 1988 as the National Bureau of Standards , is a measurement standards laboratory, otherwise known as a National Metrological Institute , which is a non-regulatory agency of the United States Department of Commerce...
.
Inventory of information systems
FISMA requires that agencies have in place an information systems inventory.According to FISMA, the head of each agency shall develop and maintain an inventory of major information systems (including major national security systems) operated by or under the control of such agency
The identification of information systems in an inventory under this subsection shall include an identification of the interfaces between each such system and all other systems or networks, including those not operated by or under the control of the agency. The first step is to determine what constitutes the "information system
Information system
An information system - or application landscape - is any combination of information technology and people's activities that support operations, management, and decision making. In a very broad sense, the term information system is frequently used to refer to the interaction between people,...
" in question. There is not a direct mapping of computers to information system; rather, an information system may be a collection of individual computers put to a common purpose and managed by the same system owner. NIST SP 800-18, Revision 1, Guide for Developing Security Plans for Federal Information Systems provides guidance on determining system
System
System is a set of interacting or interdependent components forming an integrated whole....
boundaries.
Categorize information and information systems according to risk level
All information and information systems should be categorized based on the objectives of providing appropriate levels of information security according to a range of risk levelsThe first mandatory security standard required by the FISMA legislation, namely FIPS PUB 199 "Standards for Security Categorization of Federal Information and Information Systems" provides the definitions of security categories. The guidelines are provided by NIST SP 800-60 "Guide for Mapping Types of Information and Information Systems to Security Categories."
The overall FIPS PUB 199 system categorization is the "high water mark" for the impact rating of any of the criteria for information types resident in a system. For example, if one information type in the system has a rating of "Low" for "confidentiality," "integrity," and "availability," and another type has a rating of "Low" for "confidentiality" and "availability" but a rating of "Moderate" for "integrity," then the entire system has a FIPS PUB 199 categorization of "Moderate."
Security controls
Federal information systems must meet the minimum security requirements. These requirements are defined in the second mandatory security standard required by the FISMA legislation, namely FIPS 200 "Minimum Security Requirements for Federal Information and Information Systems".Organizations must meet the minimum security requirements by selecting the appropriate security controls and assurance requirements as described in NIST Special Publication 800-53, "Recommended Security Controls for Federal Information Systems". The process of selecting the appropriate security controls and assurance requirements for organizational information systems to achieve adequate security is a multifaceted, risk-based activity involving management and operational personnel within the organization.
Agencies have flexibility in applying the baseline security controls in accordance with the tailoring guidance provided in Special Publication 800-53. This allows agencies to adjust the security controls to more closely fit their mission requirements and operational environments.
The controls selected or planned must be documented in the System Security Plan.
Risk assessment
The combination of FIPS 200 and NIST Special Publication 800-53 requires a foundational level of security for all federal information and information systems. The agency's risk assessment validates the security control set and determines if any additional controls are needed to protect agency operations (including mission, functions, image, or reputation), agency assets, individuals, other organizations, or the Nation. The resulting set of security controls establishes a level of “security due diligence” for the federal agency and its contractors.A risk assessment starts by identifying potential threats
Threat (computer)
In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm.A threat can be either "intentional" or "accidental" In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and...
and vulnerabilities
Vulnerability (computing)
In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...
and mapping implemented controls to individual vulnerabilities. One then determines risk by calculating the likelihood and impact that any given vulnerability could be exploited, taking into account existing controls. The culmination of the risk assessment shows the calculated risk for all vulnerabilities and describes whether the risk should be accepted or mitigated. If mitigated by the implementation of a control, one needs to describe what additional Security Controls will be added to the system.
NIST also initiated the Information Security Automation Program (ISAP) and Security Content Automation Protocol
Security Content Automation Protocol
The Security Content Automation Protocol is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation . The National Vulnerability Database is the U.S...
(SCAP) that support and complement the approach for achieving consistent, cost-effective security control assessments.
System security plan
Agencies should develop policy on the system security planning process. NIST SP-800-18 introduces the concept of a System Security Plan. System security plans are living documents that require periodic review, modification, and plans of action and milestones for implementing security controls. Procedures should be in place outlining who reviews the plans, keeps the plan current, and follows up on planned security controls.The System security plan is the major input to the security certification and accreditation process for the system. During the security certification and accreditation process, the system security plan is analyzed, updated, and accepted. The certification agent confirms that the security controls described in the system security plan are consistent with the FIPS 199 security category determined for the information system, and that the threat and vulnerability identification and initial risk determination are identified and documented in the system security plan, risk assessment, or equivalent document.
Certification and accreditation
Once the system documentation and risk assessment has been completed, the system's controls must be reviewed and certified to be functioning appropriately. Based on the results of the review, the information system is accredited. The certification and accreditation process is defined in NIST SP 800-37 "Guide for the Security Certification and Accreditation of Federal Information Systems".Security accreditation is the official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations, agency assets, or individuals based on the implementation of an agreed-upon set of security controls. Required by OMB Circular A-130
OMB Circular A-130
OMB Circular A-130, titled Management of Federal Information Resources, is one of many Government circulars produced by the United States Federal Government to establish policy for executive branch departments and agencies....
, Appendix III, security accreditation provides a form of quality control and challenges managers and technical staffs at all levels to implement the most effective security controls possible in an information system, given mission requirements, technical constraints, operational constraints, and cost/schedule constraints. By accrediting an information system, an agency official accepts responsibility for the security of the system and is fully accountable for any adverse impacts to the agency if a breach of security occurs. Thus, responsibility and accountability are core principles that characterize security accreditation. It is essential that agency officials have the most complete, accurate, and trustworthy information possible on the security status of their information systems in order to make timely, credible, risk-based decisions on whether to authorize operation of those systems.
The information and supporting evidence needed for security accreditation is developed during a detailed security review of an information system, typically referred to as security certification. Security certification is a comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. The results of a security certification are used to reassess the risks and update the system security plan, thus providing the factual basis for an authorizing official to render a security accreditation decision.
Continuous monitoring
All accredited systems are required to monitor a selected set of security controls and the system documentation is updated to reflect changes and modifications to the system. Large changes to the security profile of the system should trigger an updated risk assessment, and controls that are significantly modified may need to be re-certified.Continuous monitoring activities include configuration management and control of information system components, security impact analyses of changes to the system, ongoing assessment of security controls, and status reporting. The organization establishes the selection criteria and subsequently selects a subset of the security controls employed within the information system for assessment. The organization also establishes the schedule for control monitoring to ensure adequate coverage is achieved.
Critique
Security experts Bruce Brody, a former federal chief information security officer, and Alan Paller, director of research for the SANS InstituteSANS Institute
The SANS Institute is a private US company that specializes in internet security training. It was founded in 1989, provides computer security training, professional certification through Global Information Assurance Certification , and a research archive - the SANS Reading Room...
– have described FISMA as a well-intentioned but fundamentally flawed tool, and argued that the compliance and reporting methodology mandated by FISMA measures security planning rather than measuring information security. Past federal chief technology officer Keith Rhodes said that FISMA can and has helped government system security but that implementation is everything, and if security people view FISMA as just a checklist, nothing is going to get done.
Status
As of June 2010, multiple bills in Congress are proposing changes to FISMA, including shifting focus from periodic assessment to real-time assessment and increasing use of automation for reporting.See also
- Attack (computer)Attack (computer)In computer and computer networks an attack is any attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset.- IETF :Internet Engineering Task Force defines attack in RFC 2828 as:...
- Computer securityComputer securityComputer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
- Cybersecurity
- Cyberwarfare
- Committee on National Security SystemsCommittee on National Security SystemsThe Committee on National Security Systems is a United States intergovernmental organization that sets policy for the security of the US security systems.-Charter, mission, and leadership:...
- Department of Defense Information Assurance Certification and Accreditation ProcessDepartment of Defense Information Assurance Certification and Accreditation ProcessThe DoD Information Assurance Certification and Accreditation Process is the United States Department of Defense process to ensure that risk management is applied on information systems...
- Department of Defense Information Technology Security Certification and Accreditation ProcessDepartment of Defense Information Technology Security Certification and Accreditation ProcessThe Department of Defense Information Assurance Certification and Accreditation Process is a process defined by the United States Department of Defense for managing risk...
- Federal Desktop Core ConfigurationFederal Desktop Core ConfigurationThe Federal Desktop Core Configuration is a list of security settings recommended by the National Institute of Standards and Technology for general-purpose microcomputers that are connected directly to the network of a United States government agency....
– security standards for Windows workstations - Information assuranceInformation AssuranceInformation assurance is the practice of managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes...
- Information securityInformation securityInformation security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
- ISMS
- IT riskIT riskInformation technology risk, or IT risk, IT-related risk, is a risk related to information technology. This relatively new term due to an increasing awareness that information security is simply one facet of a multitude of risks that are relevant to IT and the real world processes it...
- OMB Circular A-130OMB Circular A-130OMB Circular A-130, titled Management of Federal Information Resources, is one of many Government circulars produced by the United States Federal Government to establish policy for executive branch departments and agencies....
- System Security Authorization AgreementSystem Security Authorization AgreementA System Security Authorization Agreement , is an information security document used in the United States Department of Defense to describe and accredit networks and systems. The SSAA is part of the Department of Defense Information Technology Security Certification and Accreditation Process, or...
- Security Content Automation ProtocolSecurity Content Automation ProtocolThe Security Content Automation Protocol is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation . The National Vulnerability Database is the U.S...
– automated testing for security compliance - Threat (computer)Threat (computer)In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm.A threat can be either "intentional" or "accidental" In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and...
- Vulnerability (computing)Vulnerability (computing)In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...