Federal Information Security Management Act of 2002

Title III of the 2002 E-Government Act, the Federal Information Security Management Act (FISMA), outlines the requirements for federal agencies’ implementation of information security. The general purpose of the E-Government Act was to promote the digitization of government services, as a result of the general societal shift from the paper-based to the electronic dissemination of information. FISMA’s goal is to implement protocol to secure confidential government information against natural disaster or man-made threats, such as cyberterrorism and hacking. Both the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) oversee the implementation of FISMA and the annual reviews of federal agency compliance.

Overview

FISMA has a fourfold purpose: to establish an infrastructure for improving the federal government’s ability to secure information, to provide appropriate intragovernmental management of information-security risks, to develop and maintain a basic and agreed-upon system for controlling and protecting the flow of federal information, and to implement a system to properly oversee information-security programs. NIST developed the guidelines and methodology for implementing information security, while OMB collects and manages the annual reports submitted by each agency, which it then uses to compile its own report outlining to Congress the act’s effectiveness.

NIST’s guidelines provide government agencies nine steps for implementing optimum security: (1) codify the information that needs to be safeguarded; (2) establish minimum controls; (3) create a risk-assessment formula for refining the minimum regulations; (4) employ a security plan to document the regulations; (5) implement the regulations; (6) after implementation, determine the effectiveness of the regulations; (7) consider the level of risk that each case poses to the agency; (8) approve the security procedures; and (9) continually monitor them. Once an agency assesses its specific security risks, a senior official must review the agency’s plan, after which the plan must be certified and accredited. Accreditation is a key component of the process because the official who offers accreditation is then responsible for any breach of information security. Unauthorized access, suspicious activity, and data transgressions must be reported to the US Computer Emergency Readiness Team, part of the Department of Homeland Security. In 2009, a federal task force developed a three-tiered plan to better assist agencies with FISMA and monitor the effectiveness of each agency’s plan.

Debate over FISMA continued for over a decade after it implementation, and some in Congress have called for its revision. The primary critique of the act is that, on a practical level, it has focused less on actual security and more on the development and implementation of security procedures. Furthermore, many have called for security protocols that can be standardized across agencies to increase compliance and to streamline the US government’s ability to crack down on compromises to information security.

Bibliography

Gantz, Stephen D., and Daniel R. Philpott. FISMA and the Risk Management Framework: The New Practice of Federal Cyber Security. Boston: Syngress, 2013. Print.

Hasson, Judi. “FISMA.” Government Executive 15 June 2008: 22–25. Print.

Hiltz, Craig W. The Federal Information Security Management Act (FISMA): A Legal Research Guide. Buffalo: Hein, 2013. Print.

Howard, Patrick D. FISMA Principles and Best Practices: Beyond Compliance. Boca Raton: Auerbach, 2011. Print.

Nowell, Chris. “Regulatory Compliance: The Wonderful World of FISMA.” Information Systems Security 16.5 (2007): 278–80. Print.

Poeter, Damon. “Senators Propose New Cybersecurity Bill, Update to FISMA.” PC Magazine. Ziff Davis, 1 Mar. 2012. Web. 2 Oct. 2013.

Starks, Tim. “Law of Unintended Consequences.” CQ Weekly 4 Oct. 2010: 2272–74. Print.

Taylor, Laura. FISMA Certification and Accreditation Handbook. Ed. Matthew Shepherd. Rockland: Syngress, 2007. Print.