adam's notes

Federal Information Security Management Act (FISMA)

Federal Information Security Management Act requires each U.S. federal agency to develop, document, and implement an agency-wide program providing information security.

  • Est. 2002, updated 2014

Purpose and Scope

FISMA defines information security as protecting IT systems to provide confidentiality, integrity, and availability.

  • must be protected from unauthorized use, access, disruption, modification, and destruction
  • Applies to:
    • All US federal gov agencies
    • All state agencies that administer federal programs
    • All private companies that support, sell to, or receive grant money from the federal government

Six Main Provisions

The law:

  • Sets forth agency information security responsibilities
  • Requires a yearly independent review of agency information security programs
  • Authorizes the National Institute of Standards and Technology (NIST) to develop information security standards for IT systems that do not contain unclassified information
  • Gives the Office of Management and Budget (OMB) and Department of Homeland Security (DHS) specific oversight responsibilities
  • Clarifies that national security systems (NSSs) must be secured using a risk-based approach
  • Provides for a central federal security incident response (IR) center

Requirements

FISMA requires that an organization implement information security controls that use a risk-based approach.

  • a risk-based approach is one that handles security by enumerating and compensating for specific risks

Agency Information Security Programs

FISMA requires each federal agency to create an agency-wide information security program.

  • applies to any other organization that uses the agency’s IT systems or data
  • must test every IT system at least once a year
  • must also review their security controls
    • some controls are required under FISMA
    • NIST has the authority to create minimum requirements
  • must include:
    • Risk assessments
      • must perform risk assessments
      • must measure the harm that could result from unauthorized access to or use of agency IT systems
      • must base their information security programs on the results of these risk assessments
    • Policies and procedures
      • must create policies and procedures to reduce risk to an acceptable level
      • policies must protect IT systems throughout their life cycle
      • must create configuration management policies
    • Subordinate plans
      • must make sure that they have plans for securing networks, facilities, and systems or groups of IT systems
      • are for technologies or system components that are a part of the larger information security program
    • Security awareness training
      • must give training to employees and any other users of their IT systems
      • must make people aware of potential risks to the agency’s IT systems
      • must make people aware of their duties to protect these systems
    • Testing and evaluation
      • must test their security controls at least once a year
      • must test management, operational, and technical controls for each IT system
    • Remedial actions
      • must have a plan to fix weaknesses in their information security program
    • Incident response
      • must have an IR procedure
      • must state how the agency detects and mitigates incidents
      • procedure must include reporting incidents to the DHS United States Computer Emergency Readiness Team (US-CERT) as needed
    • Continuity of operations
      • must have business continuity plans as part of their information security programs

Reporting

  • agencies must name a senior official to be in charge of information security
    • the Chief Information Security Officer (CISO)
      • responsible for FISMA compliance
  • agencies must submit monthly electronic data feeds to the DHS
    • through a program known as CyberScope
    • purpose is to continuously monitor the security posture of the federal agency’s information systems
  • Each agency must report yearly to the OMB on its FISMA compliance activities
    • must send a copy of its yearly report to the following:
      • House of Representatives Committee on Oversight and Government Reform
      • House of Representatives Committee on Homeland Security
      • House of Representatives Committee on Science and Technology
      • Senate Committee on Homeland Security and Governmental Affairs
      • Senate Committee on Commerce, Science, and Transportation U.S.
      • Government Accountability Office (GAO)
      • The agency’s congressional authorization and appropriations committee
    • FISMA compliance report:
      • must be in unclassified form
      • must review its information security program
        • The adequacy of the program
        • description of each major information security incident experienced by the agency
        • total number of information security incidents experienced by the agency
        • description of any information security incident experienced by the agency that compromised personally identifiable information (PII)
      • must assess the agency’s progress on correcting any weaknesses in the program or security controls
      • must also respond to a set of questions about its security practices
        • asked in CyberScope
        • DHS publishes the questions each year
    • Agencies must also report on their privacy activities
      • share information on their privacy training programs and their breach notification policy
      • must give a progress report on their efforts to eliminate the unnecessary use of SSNs and other PII
    • must include the results of an independent evaluation of the agency’s information security program
      • If an agency has an Inspector General, then the IG may carry out this evaluation
      • If they do not, the head of the agency must hire an external auditor

Role of NIST

FISMA requires the Department of Commerce to create information security standards and guidelines.

  • delegated this responsibility to NIST
    • agency of the Department of Commerce
  • NIST must create:
    • Standards that all federal agencies use to categorize their data and IT systems
    • Guidelines recommending the types of data and IT systems to be included in each category
    • Minimum information security controls for IT systems
  • OMB has stated that agencies must follow NIST standards and guidelines for non-NSSs
  • NIST creates two different types of documents:
    • Federal Information Processing Standards (FIPS)
      • are standards
      • Federal agencies must follow FIPS
        • must comply with new FIPS within 1 year of their publication date
        • do not apply to NSSs
      • creates if there is no acceptable industry standard or solution for the underlying information security issue
      • currently are 13 FIPS
      • uses procedures described in the Administrative Procedures Act (APA) to create FIPS
        • APA states formal procedures for creating rules and regulations
        • ensures due process
      • Department of Commerce must approve FIPS before they can be finalized
    • Special Publications (SPs)
      • are guidelines
      • are computer security guidelines that are more general than FIPS
      • creates SPs in collaboration with industry, government, and academic information security experts
      • agencies have some flexibility in using the SPs for guidance

Risk Management Framework

  • NIST uses a RMF approach to FISMA compliance
    • outlined in SP 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations
    • helps protect IT systems during their whole life cycle
    • Federal agencies must use the RMF provided by NIST to assess the information security and privacy risks to their IT systems
    • outlines six steps to protect federal IT systems:
      • Categorize IT systems
      • Select minimum security controls
      • Implement security controls in IT systems
      • Assess security controls for effectiveness
      • Authorize the IT system for processing
      • Continuously monitor security control
    • recommends a continuous process of categorization, assessment, and monitoring

  • NIST guides agencies at each RMF step
    • FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, helps them categorize their IT systems
      • serves as the starting point for an agency’s information security program
      • helps them separate their IT systems into categories based on risk
      • then apply security controls to their IT system based upon their category
      • Under FIPS 199, agencies must first assess the impact on IT systems because of a loss of confidentiality, integrity, or availability
        • security category expresses that impact
        • defines three security categories:
          • Low
            • loss of confidentiality, integrity, or availability has a limited adverse effect on the agency, its information assets, or people
            • results in minor damage to assets
          • Moderate
            • loss of confidentiality, integrity, or availability has a serious adverse effect on the agency, its information assets, or people
            • results in significant damage to assets
          • High
            • loss of confidentiality, integrity, or availability has a severe or catastrophic adverse effect on the agency, its information assets, or people
            • results in major damage to assets
      • next must decide which controls to use
        • NIST created two documents to help with this
          • FIPS 200, Minimum Security Requirements for Federal Information and Information Systems
          • SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations
            • defines the minimum thresholds, or baselines, for each category
        • OMB requires that agencies use these documents
        • documents require agencies to specify controls in 17 areas
          • FIPS 200:
            • Access control
            • Awareness and training
            • Audit and accountability
            • Certification, accreditation, and security assessments
            • Configuration management
            • Contingency planning
            • Identification and authentication
            • Incident response
            • Maintenance
            • Media protection
            • Physical and environmental protection
            • Planning
            • Personnel security
            • Risk assessment
            • System and services acquisition
            • System and communications protection
            • System and information integrity
      • OMB requires federal agencies to test their security controls
        • NIST SP 800-53A, Revision 4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans
      • RMF requires agencies to authorize their IT system for processing
        • means that an agency must test its systems and approve its operation
        • based on a review of the risk of operating the system
        • must specifically accept the risks of operation before allowing an IT system to operate
      • agencies must continuously monitor their security controls
        • must document any changes to their IT systems and assess them for new risks

Central Incident Response Center

  • government must have a federal IR center
  • must:
    • Give technical support to agencies about handling information security incidents
    • Compile and analyze data about information security incidents
    • Inform agencies about current and potential threats and vulnerabilities
    • Inform agencies about threats, vulnerabilities, and incidents to be considered as part of the agencies’ risk assessment process
    • Consult with NIST and agencies with NSSs about information security incidents
  • Agencies must report all information security incidents to the National Cybersecurity and Communications Integration Center (NCCIC)
    • aka US-CERT
    • Under FISMA, an incident is an event that:
      • actually or imminently jeopardizes the integrity, confidentiality, or availability of information or an information system
      • constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies
  • reporting an incident:
    • must share as much information about the incident as possible and requires:
      • The impact the incident has had on the agency
      • Whether any information has been lost, compromised, or corrupted
      • The estimated amount of time and resources that are needed to recover from the incident
      • When the incident was first detected
      • The number of systems, records, and users impacted
      • The network location of the incident
      • Contact information if the NCCIC/US-CERT needs more information
    • must report within 1 hour of discovering an incident

National Security Systems

FISMA requires federal agencies to secure NSSs using a risk-based approach.

  • National security systems (NSSs) are IT systems that hold military, defense, and intelligence information
    • includes systems that are for:
      • Intelligence activities
      • Command and control of military forces
      • Weapons or weapons-control equipment
      • Use cryptography to protect national security
      • Critical to military or intelligence missions
      • Must be kept classified for national defense or foreign policy
  • Committee on National Security Systems (CNSS) oversees FISMA activities for NSSs
    • has 21 voting members
      • include officials from the National Security Administration (NSA), Central Intelligence Agency (CIA), and Department of Defense (DoD)
    • DoD member leads the committee
    • includes several subcommittees and panels
  • must follow CNSS policies
  • FISMA permits the directors of the DoD and CIA to develop additional information security policies for NSSs within their own agencies
  • OMB must report to Congress on FISMA compliance for NSSs

Oversight

  • OMB and the DHS share responsibility for FISMA compliance
  • OMB oversees FISMA-related budgetary issues
    • can withhold funding from agencies that fail to follow FISMA
    • OMB must issue a report to Congress each year on the government’s FISMA compliance
  • DHS has had the power to ensure that agencies are meeting their FISMA obligations
    • can create rules and other guidance that these agencies must follow
      • called binding operational directives
    • keeps track of how all federal agencies are complying with FISMA
    • annually reviews their cybersecurity programs

Authority to Operate

After an organization passes an audit, the federal agency they’re working with grants it an authority to operate (ATO).

  • ATO is specific to each agency
    • Company needs an ATO from each agency they work with

Resources

Graph View

Backlinks