Guidance on Federal information security controls
The Federal Information Security Management Act (FISMA) is United States legislation that defines a framework of guidelines and security standards to protect government information and operations. This risk management framework was signed into law as part of the Electronic Government Act of 2002, and later updated and amended. Show Since 2002, FISMA's scope has widened to apply to state agencies that administer federal programs, or private businesses and service providers that hold a contract with the U.S. government. Reduced federal funding or other penalties may result from noncompliance. The Electronic Government Act was introduced in order to improve the management of electronic government services and processes, while also managing federal spending around information security. FISMA was one of the more important regulations in the Electronic Government Act since it brought forth a method to reduce federal data security risks while emphasizing cost-effectiveness. A set of security policies were made for federal agencies to meet. Specifically, FISMA requires federal agencies, and others it applies to, to develop, document and implement agency-wide information security programs. These programs should be able to protect sensitive data. The act also pushes some responsibilities to the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB). Agency officials, like chief information officers and inspector generals, should conduct annual reviews of an agency's information security program, reporting those reviews to OMB. OMB will then use the data to assist in its oversight responsibilities as well as forwarding annual reports to Congress. NIST is tasked with developing information regarding standards and guidelines such as minimum security requirements. FISMA complianceFISMA assigns responsibilities to various agencies to ensure the security of data in the federal government. The act requires program officials, and the head of each agency, to conduct annual reviews of information security programs, with the intent of keeping risks at or below specified acceptable levels in a cost-effective, timely and efficient manner. The NIST outlines numerous steps toward compliance with FISMA:
These are some of the major steps. Other steps include determining the agency-level risk to the business case and authorizing information systems for processing. FISMA compliance best practicesTo ensure compliance with FISMA, here are some best practices to follow:
Pros and cons of FISMAFISMA allows for:
There are also concerns around FISMA, though. For example:
FISMA is best used as a starting point for implementing security measures. This was last updated in September 2020 Continue Reading About Federal Information Security Management Act (FISMA)
Dig Deeper on Security operations and management
What guidance identifies federal information security controls?The E-Government Act was among the first federal laws to comprehensively address information privacy and security issues in federal information technology systems. It complements the Privacy Act of 1974 and was intended to promote access to electronic government resources.
What are the 3 information security controls?There are three main types of IT security controls including technical, administrative, and physical.
What are the 4 types of security controls?One of the easiest and most straightforward models for classifying controls is by type: physical, technical, or administrative, and by function: preventative, detective, and corrective.
What are NIST 800 171 controls?NIST 800-171 requirements. Access controls. Make sure to limit access to CUI so only authorized individuals and devices can view that data. ... . Awareness and training. ... . Auditing and accountability. ... . Configuration management. ... . Identification and authentication. ... . Incident response. ... . Maintenance. ... . Media protection.. |