Guidance on Federal information security controls

FISMA compliance

FISMA assigns responsibilities to various agencies to ensure the security of data in the federal government. The act requires program officials, and the head of each agency, to conduct annual reviews of information security programs, with the intent of keeping risks at or below specified acceptable levels in a cost-effective, timely and efficient manner. The NIST outlines numerous steps toward compliance with FISMA:

1. Risk categorization. Information systems should be categorized based on objectives that provide an appropriate level of security. Categorization should be done by order of risk level, which makes sure sensitive information has a high level of security.
2. Select minimum baseline controls. Federal systems must meet minimum security requirements. Not every security control has to be met, just ones most relevant to the specific organization and the systems they use.
3. Document the controls in the system security plan. An inventory of all the information and systems used should be kept, as well as the interfaces between systems and networks. Documentation on the baseline controls used to protect these systems should also be kept. Security controls should then be implemented in appropriate information systems.
4. Refine controls using a risk assessment procedure. This should be done to validate security controls and to determine if any other controls are needed. Assess the effectiveness of the security controls once they have been implemented.
5. Annual security reviews must be conducted by program officials and agency heads in order to obtain a certification. This acts as a sort of security certification. Certification will prove a system is accredited. Certification and accreditation are defined in NIST SP 800-37.
6. Monitor the security controls on a continuous basis. Accredited systems are required to continually monitor systems. This should help organizations to respond quickly to security incidents or data breach Documentation should be updated if any changes are made. Continuous monitoring should include status reporting, configuration management and security controls, as well as any changes made to a system.

These are some of the major steps. Other steps include determining the agency-level risk to the business case and authorizing information systems for processing.

FISMA compliance best practices

To ensure compliance with FISMA, here are some best practices to follow:

• Stay up to date with any new FISMA standards or NIST guidelines.
• Keep a record of FISMA compliances. Keeping any detailed records on steps taken to maintain compliance should help with any audits regarding FISMA.
• Classify data based on its level of sensitivity when it's created. This will ensure sensitive data is treated securely.
• Encrypt sensitive data automatically. A tool can be used to do this automatically, based on classification levels.

Pros and cons of FISMA

FISMA allows for:

• An increase in the security of federal information, both within federal and state agencies.
• Any business within the private sector to ensure that they're using the best security policies.
• More baseline controls and security plans, and more of an ability to respond to vulnerabilities.
• Continuous monitoring to provide a maintained level of security and for an organization to respond to threats quickly.
• Flexibility in implementation.
• A good starting point for implementing security measures.

There are also concerns around FISMA, though. For example:

• Sharing cybersecurity information between agencies may be difficult.
• Improvements to FISMA need improvements over time as new threats come about.
• FISMA measures security planning as opposed to measuring information security.
• Controls may be easy to confuse.

FISMA is best used as a starting point for implementing security measures.