The Federal Information Security Management Act (FISMA) is a United States federal law passed in 2002 that made it a requirement for federal agencies to develop, document and implement an information security and protection program. FISMA is part of the larger E-Government Act of 2002 that was born to improve the management of electronic government services and processes.
The FISMA regulations are extremely important for federal data security standards and guidelines. These regulations were introduced to reduce the security risk to federal information while managing federal spending on information security.
To achieve these aims, FISMA established a set of guidelines and security standards that federal agencies have to meet. The scope of FISMA has since increased to include state agencies administering federal programs like Medicare. FISMA requirements also apply to any private businesses that are involved in a contractual relationship with the government.
Compliance — A Serious Issue
It’s paramount that government and contractor personnel understand the intricacies of FISMA compliance. Why? Well, for starters, government agencies or associated private companies that fail to comply with FISMA are subjected to a range of potential penalties including censure by congress, a reduction in federal funding and reputational damage.
The key FISMA requirements include:
- Information System Inventory: Every federal agency or contractor working with the government must keep an inventory of all the information systems utilized within the organization. In addition, the organization must identify the integrations between these information systems and other systems within their network.
- Risk Categorization: Organizations must categorize their information and information systems in order of risk to ensure that sensitive information and the systems that use it are given the highest level of security. FIPS 199 “Standards for Security Categorization of Federal Information and Information Systems” defines a range of risk levels within which organizations can place their various information systems.
- System Security Plan: FISMA requires agencies to create a security plan which is regularly maintained and kept up to date. The plan should cover things like the security controls implemented within the organization, security policies, and a timetable for the introduction of further controls.
- Security Controls: NIST SP 800-53 outlines an extensive catalog of suggested security controls for FISMA compliance. FISMA does not require an agency to implement every single control; instead, they are instructed to implement the controls that are relevant to their organization and systems. Once the appropriate controls are selected and the security requirements have been satisfied, the organizations must document the selected controls in their system security plan.
- Risk Assessments: Risk assessments are a key element of FISMA’s information security requirements. NIST SP 800-30 offers some guidance on how agencies should conduct risk assessments. According to the NIST guidelines, risk assessments should be three-tiered to identify security risks at the organizational level, the business process level, and the information system level.
- Certification and Accreditation: FISMA requires program officials and agency heads to conduct annual security reviews to ensure risks are kept to a minimum level. Agencies can achieve FISMA Certification and Accreditation (C&A) through a four-phased process which includes initiation and planning, certification, accreditation and continuous monitoring.
Risk Management Framework Training
Tonex helps with compliance issues by offering two Risk Management Framework (RMF) Training classes:
Our instructors at Tonex help participants master all the RMF process design/implementation techniques by introducing a comprehensive step by step RMF training.
RMF Training objectives include learning about:
- Key activities in managing enterprise-level risk
- Evaluating risk resulting from the operation of an information system
- Categorizing the information system
- Selecting set of minimum security controls
- Refining the security control set based on risk management
- Assessing the security controls
- Monitoring security controls on a continuous basis
- Determining agency-level risk and risk acceptability
The Tonex Way
–Presenting highly customized learning solutions is what we do. For over 30 years Tonex has worked with organizations in improving their understanding and capabilities in topics often with new development, design, optimization, regulations and compliances that, frankly, can be difficult to comprehend.
–Ratings tabulated from student feedback post-course evaluations show an amazing 98 percent satisfaction score.
–Reasonably priced classes taught by the best trainers is the reason all kinds of organizations from Fortune 500 companies to government’s most important agencies return for updates in courses and hands-on workshops
For more information, questions, comments, Contact us.