Establishment of IT Controls for FISMA Compliance
The Federal Information Security Management Act (FISMA) was passed by Congress and signed into law by the President as part of the Electronic Government Act of 2002.
FISMA goals include development of a comprehensive framework to protect the government’s information, operations, and assets. Providing adequate security for the Federal government’s investment in information technology is a significant undertaking. In Fiscal Year (FY) 2004, the Federal agencies spent $4.2 billion securing the government’s total information technology investment of approximately $59 billion or about seven percent of the total information technology portfolio.
The Act assigns specific responsibilities to Federal agencies, the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) to strengthen system security. In particular, FISMA requires the head of each agency to implement policies and procedures to cost-effectively reduce information technology security risks to an acceptable level.
To ensure the adequacy and effectiveness of information security controls, FISMA requires agency program officials, Chief Information Officers, and Inspectors General (IGs) to conduct annual reviews of the agency’s information security program and report the results to OMB. OMB uses this data to assist in its oversight responsibilities and to prepare this annual report to Congress on agency compliance with the Act.
FISMA has brought attention within the Federal Government to cybersecurity, which had previously been much neglected. As of February 2005, many government agencies received extremely poor marks on the official report card, with an average of 67.3% for 2004, an improvement of only 2.3 percentage points over 2003.
FISMA assigned NIST the responsibility of defining standards and security procedures to be respected by American governmental agencies and to reinforce the systems security level. These standards have been published in the Federal Information Processing Standards Publication 200 (FIPS PUB 200), and the security controls to be made have been detailed in the NIST Special Publication 800-53 document.
The security requirements defined in FIPS PUB 200 and NIST 800-53 cover 17 domains:
- Access control
- Awareness and training
- Audit and accountability
- Certification, accreditation and security assessments
- Configuration management
- Contingency planning
- Identification and authentication
- Incident response
- Maintenance
- Media protection
- Physical and environmental protection
- Planning
- Personal security
- Risk assessment
- System and services acquisition
- System and communications protection
- System and information integrity