FISMA Analysis Paper
Analysis of the Federal Information Security Management Act (FISMA)
INFA660 Security Policy, Ethics, and the Legal Environment
March 14, 2011
Abstract
Foreign as well as domestic cyber threats and attacks on technological networks and systems have led the Government to enact the Federal Information Security Management Act (FISMA), which is a section of the E-Government Act of 2002. FISMA provides the statutory structure required for management, reporting, assessment and compliance. This paper will provide an analysis of FISMA and why compliance under the Act while need, is more taxing and less security.
"This paper or presentation is my own work. Any assistance I received in its preparation is acknowledged within …show more content…
Requirements
FISMA necessitates compliance for all data and information systems, under the governments control and all data and systems that are provided by others outside the public domain (GovITWiki, 2008). Data that is provided by others to governmental agencies must strive to protect those systems operations, and assets, and provide continuity in system reporting and other requirements (IBM, 2007).
Agencies must produce a total, accurate, and complete assessment of all information and systems including security status, risk, and remediation (IBM, 2007). However, this can be very taxing when systems are “spread across many organizations and geographies” (IBM, 2007, 4.)
FISMA mandates basic security standards and requirements by putting the onus of complying with these requirements on each agency to detect and report security vulnerabilities in computer systems (Hasson, 2008). Additionally, these requirements to mandate security standards are ongoing with reporting requirements that are provided at least annually if not more to OMB who must submit yearly reports to Congress on agency compliance and outcomes (Hasson, 2008). This reporting requirement already exist in the Government , but the Act just added the need to secure information systems as well as information which …show more content…
Under the thumb of the National Institute of Standards and Technology (NIST), nine steps have been identified as a gauge agencies should strive towards in order to be in compliance (TechTarget, n.d.).
These steps are protecting information, control of information, risk assessment, documentation of controls used to devise a system security plan, implementation of security controls, assessment of security controls once online and in use, risk to the agency and its mission, process authorization and continuous monitoring of security mechanisms (TechTarget, n.d.).
For instance, under FISMA Government agencies must make sure all public information and systems housed in the agency are free from alteration and manipulation, and maintained in a manner that protects information against malicious threats and/or inside attacks all in a cost effective way (IBM, 2007). This is no doubt very difficult for agencies trying to focus on securing data while also being required to worry more about meeting multiple compliance standards (IBM,
INFA660 Security Policy, Ethics, and the Legal Environment
March 14, 2011
Abstract
Foreign as well as domestic cyber threats and attacks on technological networks and systems have led the Government to enact the Federal Information Security Management Act (FISMA), which is a section of the E-Government Act of 2002. FISMA provides the statutory structure required for management, reporting, assessment and compliance. This paper will provide an analysis of FISMA and why compliance under the Act while need, is more taxing and less security.
"This paper or presentation is my own work. Any assistance I received in its preparation is acknowledged within …show more content…
Requirements
FISMA necessitates compliance for all data and information systems, under the governments control and all data and systems that are provided by others outside the public domain (GovITWiki, 2008). Data that is provided by others to governmental agencies must strive to protect those systems operations, and assets, and provide continuity in system reporting and other requirements (IBM, 2007).
Agencies must produce a total, accurate, and complete assessment of all information and systems including security status, risk, and remediation (IBM, 2007). However, this can be very taxing when systems are “spread across many organizations and geographies” (IBM, 2007, 4.)
FISMA mandates basic security standards and requirements by putting the onus of complying with these requirements on each agency to detect and report security vulnerabilities in computer systems (Hasson, 2008). Additionally, these requirements to mandate security standards are ongoing with reporting requirements that are provided at least annually if not more to OMB who must submit yearly reports to Congress on agency compliance and outcomes (Hasson, 2008). This reporting requirement already exist in the Government , but the Act just added the need to secure information systems as well as information which …show more content…
Under the thumb of the National Institute of Standards and Technology (NIST), nine steps have been identified as a gauge agencies should strive towards in order to be in compliance (TechTarget, n.d.).
These steps are protecting information, control of information, risk assessment, documentation of controls used to devise a system security plan, implementation of security controls, assessment of security controls once online and in use, risk to the agency and its mission, process authorization and continuous monitoring of security mechanisms (TechTarget, n.d.).
For instance, under FISMA Government agencies must make sure all public information and systems housed in the agency are free from alteration and manipulation, and maintained in a manner that protects information against malicious threats and/or inside attacks all in a cost effective way (IBM, 2007). This is no doubt very difficult for agencies trying to focus on securing data while also being required to worry more about meeting multiple compliance standards (IBM,