The Federal Information Security Management Act (FISMA) is a United States Federal Law enacted in 2002 as part of the E-Government Act. The act recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
FISMA has brought attention within the federal government to cyber security and explicitly emphasized a "risk-based policy for cost-effective security." Intersec Worldwide offers solutions that help agency program officials, chief information officers, and inspectors general (IGs) conduct annual reviews of the agency’s information security program and report the results to Office of Management and Budget (OMB) as required by FISMA.
Intersec Worldwide offers an array of services for managing information security for all information systems used or operated by a U.S. federal government agency or by a contractor or other organization on behalf of a federal agency. Intersec Worldwide helps agencies manage this information according to the framework defined by FISMA, which includes the following:
Inventory of information systems
Agencies must have in place an information systems inventory, and the head of each agency shall develop and maintain an inventory of major information systems (including major national security systems) operated by or under the control of such agency. The identification of information systems in an inventory under this subsection shall include an identification of the interfaces between each such system and all other systems or networks, including those not operated by or under the control of the agency.
Categorize information and systems according to risk level
All information and information systems should be categorized based on the objectives of providing appropriate levels of information security according to a range of risk levels.
Federal information systems must meet the minimum security requirements. Organizations must meet the minimum security requirements by selecting the appropriate security controls and assurance requirements. The process of selecting the appropriate security controls and assurance requirements for organizational information systems to achieve adequate security is a multifaceted, risk-based activity involving management and operational personnel within the organization. Agencies have flexibility in applying the baseline security controls in accordance with the tailoring guidance provided in Special Publication 800-53. This allows agencies to adjust the security controls to more closely fit their mission requirements and operational environments. The controls selected or planned must be documented in the System Security Plan.
The combination of FIPS 200 and NIST Special Publication 800-53 requires a foundational level of security for all federal information and information systems. The agency's risk assessment validates the security control set and determines if any additional controls are needed to protect agency operations (including mission, functions, image, or reputation), agency assets, individuals, other organizations, or the Nation. The resulting set of security controls establishes a level of “security due diligence” for the federal agency and its contractors. A risk assessment starts by identifying potential threats and individual vulnerabilities. One then determines risk by calculating the likelihood and impact that any given vulnerability could be exploited, taking into account existing controls. The culmination of the risk assessment shows the calculated risk for all vulnerabilities and describes whether the risk should be accepted or mitigated.
System security plan
Agencies should develop policy on the system security planning process. System security plans are living documents that require periodic review, modification, and plans of action and milestones for implementing security controls. Procedures should be in place outlining who reviews the plans, keeps the plan current, and follows up on planned security controls. The System security plan is the major input to the security certification and accreditation process for the system. During the security certification and accreditation process, the system security plan is analyzed, updated, and accepted. The certification agent confirms that the security controls described in the system security plan are consistent with the FIPS 199 security category determined for the information system, and that the threat and vulnerability identification and initial risk determination are identified and documented in the system security plan, risk assessment, or equivalent document.
Certification and accreditation
Once the system documentation and risk assessment has been completed, the system's controls must be reviewed and certified to be functioning appropriately. Based on the results of the review, the information system is accredited. Security accreditation is the official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations, agency assets, or individuals based on the implementation of an agreed-upon set of security controls. Security accreditation provides a form of quality control and challenges managers and technical staff at all levels to implement the most effective security controls possible in an information system, given mission requirements, technical constraints, operational constraints, and cost/schedule constraints.
The information and supporting evidence needed for security accreditation is developed during a detailed security review of an information system, typically referred to as security certification. Security certification is a comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. The results of a security certification are used to reassess the risks and update the system security plan, thus providing the factual basis for an authorizing official to render a security accreditation decision.
All accredited systems are required to monitor a selected set of security controls for efficacy, and the system documentation is updated to reflect changes and modifications to the system. Significant changes to the security profile of the system should trigger an updated risk assessment, and controls that are significantly modified may need to be re-certified. Continuous monitoring activities include configuration management and control of information system components, security impact analyses of changes to the system, ongoing assessment of security controls, and status reporting. Those security controls that are volatile or critical to protecting the information system are assessed at least annually. All other controls are assessed at least once during the information system’s three-year accreditation cycle.
Copyright @ 2012 Intersecworldwide. All rights reserved.