Federal Information Security Management Act of 2002
The Federal Information Security Management Act of 2002 (FISMA) is a pivotal piece of legislation aimed at securing sensitive government information in light of increasing threats, such as cyberterrorism and hacking. Enacted as part of the E-Government Act, FISMA encourages the digitization of government services while establishing a framework to enhance the federal government's ability to protect its information assets. The act articulates a fourfold purpose: improving infrastructure for information security, managing security risks, maintaining a system for information flow control, and overseeing information security programs.
Implementation of FISMA is guided by the National Institute of Standards and Technology (NIST) and monitored by the Office of Management and Budget (OMB). NIST provides a comprehensive set of guidelines for federal agencies, detailing a nine-step process that includes risk assessment, security planning, and continuous monitoring of security measures. A crucial aspect of FISMA is the accreditation process, which assigns responsibility for breaches to senior officials within agencies.
Despite its intentions, FISMA has faced criticism for prioritizing procedural compliance over effective security measures. Ongoing discussions in Congress have raised concerns about the need for more standardized security protocols across federal agencies, aiming to enhance compliance and improve the overall security posture of the U.S. government.
On this Page
Federal Information Security Management Act of 2002
Title III of the 2002 E-Government Act, the Federal Information Security Management Act (FISMA), outlines the requirements for federal agencies’ implementation of information security. The general purpose of the E-Government Act was to promote the digitization of government services, as a result of the general societal shift from the paper-based to the electronic dissemination of information. FISMA’s goal is to implement protocol to secure confidential government information against natural disaster or man-made threats, such as cyberterrorism and hacking. Both the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) oversee the implementation of FISMA and the annual reviews of federal agency compliance.
Overview
FISMA has a fourfold purpose: to establish an infrastructure for improving the federal government’s ability to secure information, to provide appropriate intragovernmental management of information-security risks, to develop and maintain a basic and agreed-upon system for controlling and protecting the flow of federal information, and to implement a system to properly oversee information-security programs. NIST developed the guidelines and methodology for implementing information security, while OMB collects and manages the annual reports submitted by each agency, which it then uses to compile its own report outlining to Congress the act’s effectiveness.
NIST’s guidelines provide government agencies nine steps for implementing optimum security: (1) codify the information that needs to be safeguarded; (2) establish minimum controls; (3) create a risk-assessment formula for refining the minimum regulations; (4) employ a security plan to document the regulations; (5) implement the regulations; (6) after implementation, determine the effectiveness of the regulations; (7) consider the level of risk that each case poses to the agency; (8) approve the security procedures; and (9) continually monitor them. Once an agency assesses its specific security risks, a senior official must review the agency’s plan, after which the plan must be certified and accredited. Accreditation is a key component of the process because the official who offers accreditation is then responsible for any breach of information security. Unauthorized access, suspicious activity, and data transgressions must be reported to the US Computer Emergency Readiness Team, part of the Department of Homeland Security. In 2009, a federal task force developed a three-tiered plan to better assist agencies with FISMA and monitor the effectiveness of each agency’s plan.
Debate over FISMA continued for over a decade after it implementation, and some in Congress have called for its revision. The primary critique of the act is that, on a practical level, it has focused less on actual security and more on the development and implementation of security procedures. Furthermore, many have called for security protocols that can be standardized across agencies to increase compliance and to streamline the US government’s ability to crack down on compromises to information security.
Bibliography
Gantz, Stephen D., and Daniel R. Philpott. FISMA and the Risk Management Framework: The New Practice of Federal Cyber Security. Boston: Syngress, 2013. Print.
Hasson, Judi. “FISMA.” Government Executive 15 June 2008: 22–25. Print.
Hiltz, Craig W. The Federal Information Security Management Act (FISMA): A Legal Research Guide. Buffalo: Hein, 2013. Print.
Howard, Patrick D. FISMA Principles and Best Practices: Beyond Compliance. Boca Raton: Auerbach, 2011. Print.
Nowell, Chris. “Regulatory Compliance: The Wonderful World of FISMA.” Information Systems Security 16.5 (2007): 278–80. Print.
Poeter, Damon. “Senators Propose New Cybersecurity Bill, Update to FISMA.” PC Magazine. Ziff Davis, 1 Mar. 2012. Web. 2 Oct. 2013.
Starks, Tim. “Law of Unintended Consequences.” CQ Weekly 4 Oct. 2010: 2272–74. Print.
Taylor, Laura. FISMA Certification and Accreditation Handbook. Ed. Matthew Shepherd. Rockland: Syngress, 2007. Print.