What is FISMA?
The Federal Information Security Management Act (FISMA) is part of the E-Government Act, which became a law in December 2002. Title III of the E-Government Act is FISMA. FISMA basically requires all government agencies to perform a Risk Based methodology on all information systems run by agencies and their contractors.
FISMA essentially tasks the National Institute of Standards and Technology (NIST) with developing the framework and controls for the security methodology. NIST Special Publications 800 Series provides the guidance for FISMA. This methodology follow 8 steps:
- Categorize
- Select
- Supplement
- Document
- Implement
- Assess
- Authorize
- Monitor
Categorize - Using risk based methodology, an Information System is assigned one of three levels of risk. They are Low (L), Moderate (M), or High (H). NIST provides several documents for guidance on the categorization of risk levels. They are Draft SP 800-60r1 Guide for Mapping Types of Information and Information Systems to Security Categories: (2 Volumes) - Volume 1: Guide for Mapping Types of Information and Information Systems to Security Categories Volume 2: Appendices and FIPS 199 Standards for Security Categorization of Federal Information and Information Systems.
Select - This step selects which controls are to be implemented on an information system. The controls are selected based up on the security categorization selected above. In addition, the depth of the control is influenced by the security categorization. NIST SP 800-53r2 Recommended Security Controls for Federal Information Systems is the most important document that NIST has written with regards to security controls.
In NIST 800-53, security controls are broken down into functional families. There are 17 functional families. Those families of controls are further broken down into three categories. The three categories are Managerial, Operational, and Technical. These groupings are an ordered logical set of groupings. Again, the controls listed in 800-53 are recommendations based up on the security categorization of the Information System. One particular control may be applied to all L, M, or H systems. Another control may only be applied to an H system. And yet one control may be applied to a M system but in not as much detail as a H system.
Supplement - This step supplements the previous step. In this step, the agency needs to determine if their are any overriding factors that may impact the system from a risk management standpoint. An example in this case may be a L system in a M level enclave. At this point, the agency may decide that all systems in the enclave need to meet the enclave’s risk level categorization vs. the individual information system. Another example may be a system that sits in a high risk area such as hurricane risk areas or flood plains. In this case, there may be supplemental controls that need to be applied to the information system to further protect the system.
Document - This is a key step in the risk management approach. NIST SP 800-18r1 Guide for Developing Security Plans for Federal Information Systems provides guidance for developing a System Security Plan (SSP). This document is important in describing the system. This includes, but is not limited to, identification, risk categorization, people responsible for, purpose, description, architecture, applicable laws and regulations, and connection information. In addition, the second part of the SSP lists the controls that are decided upon in the two previous steps. This document gives the reader a broad overview of the system and its risk management stance.
This concludes part I of what FISMA provides for US Agencies.
The What is FISMA? by Jeremy Finke, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.
Comments
Subscribe through Feedburner
[...] is the first part of an article I wrote that tries to explain what the Federal Information Security Management Act is. It gives a [...]
[...] This is a continuation of the previous article, “What is FISMA?“. [...]