The Information Technology Management Reform Act of 1996 (Public Law 104-106) and the Federal Information Security Management Act of 2002 (Public Law 107-347) create mandates for agencies to take specific steps to ensure the security of Federal information systems. FISMA requires agencies to perform annual reviews and report to the Office of Management and Budget on their information systems’ security programs. This means that agencies need a comprehensive approach to policy, auditing, reporting and remediation in order to satisfy FISMA requirements.
FISMA compliance is challenging because each agency is given wide latitude in satisfying the basic goals of:
- Providing a comprehensive framework ensuring the effectiveness of information security controls
- Acknowledging the networked nature of Federal systems and ensuring cooperation and coordination between agencies.
- Developing and maintaining a minimum (baseline) set of security controls.
- Ensuring adequate oversight of agency information security programs.
- Acknowledging the effectiveness of commercially developed information security products and their application as market solutions for Federal systems
- Selecting technical hardware and software security solutions that are applicable to the specific agency and its mission
Specifically FISMA has requirements in the following areas:
Organizational requirements to ensure that the delegation of responsibility and authority supports the objectives of information security (Section 3544)
Development of an agency-wide information security program which includes the following areas of concern (Section 3544 (b))
- Security Policies and Procedures
- Subordinate plans
- Continuity of Operations Plan
- Security Incident Reporting
- Training Plans
- Testing and Evaluation Results
- Agency Risk Assessments
Implementation of procedures to ensure timely agency reporting of the status of their information security programs with remedial action requirements supported by budgetary line items. (Section 3544 (c))
Mandated annual independent evaluation of the information security program to determine the effectiveness of policies, programs and practices. (Section 3545)
Ensure reporting of incidents to the FedCIRC and consult with other agencies about mitigating the risks of identified threats and perceived threats. (Section 3546)