What is FISMA?
FISMA is the Federal Information Security Management Act. It is a high-level law that mandates a level of cybersecurity for all federal agencies and federal contractors. It was enacted by Congress in 2002 and updated in 2014.
While FISMA delegates cybersecurity responsibility to the various federal departments and agencies, it also centralizes a significant amount of cybersecurity functions (including mandates) to the Department of Homeland Security (DHS) and leaves the nitty-gritty standards and guidelines to the National Institute of Standards and Technology (NIST) to hammer out.
The direct FISMA mandates on federal agencies are the following:
- Periodic risk assessments
- Policies and procedures that are based on risk assessments
- Subordinate plans for cybersecurity
- Security awareness training
- Annual testing and evaluation of information security policies and procedures
- Remedial action to correct security flaws
- Security incident detection, reporting, and response procedures
- Business continuity plans
- Notification on data breaches
The indirect FISMA mandates on agencies and contractors that flow through NIST via the NIST standards are exhaustive and located in SP-800-53. It contains over 500 pages of controls that entities must choose from depending on whether their information systems are deemed low impact, medium impact, or high impact.
While the SP 800-53 controls are beyond the scope of this article, I recommend that you take a look at how detailed and complicated the control document is here https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final.
Building and maintaining a cybersecurity system using SP 800-53 is no easy task and requires a team of highly skilled professionals to guide you through it. At Digital Edge, we have such a team ready to go and would be happy to assist.
