Complying With The Federal
Information Security Act
(FISMA)
What is FISMA?
• FISMA
– Congress included the FISMA as part of the EGovernment Act of 2002
http://thomas.loc.gov/bss/d107/d107laws.html
– FISMA is the primary legislation that governs required
security activities associated with the Certification and
Accreditation Process. It sets forth specific
requirements for security programs as well as an
annual reporting requirement. As a DAA you will be
responsible for executive oversight on meeting
program and reporting requirements as outlined on
the following slides.
Purpose of FISMA
 Bringing Standardization to security control selection
and assessment through:
 Providing a consistent framework for protecting
information at the federal level.
 Providing effective management of risks to information
security.
 Providing for the development of adequate controls to
protect information and systems.
 Providing a mechanism for effective oversight of
federal security programs.
FISMA Requirements
• Federal agencies are required to establish an integrated,
risk-based information security program that adheres to
high-level requirements governing how information
security is conducted within their agency.
• Agencies are required to:
– assess the current level of risk associated with their information
–
–
–
–
–
and information systems
define controls to protect those systems
implement policies and procedures to cost-effectively reduce risk
periodically test and evaluate those controls
train personnel on information security policies and procedures
and manage incidents (incident response plan/process).
FISMA Dictates…
• Responsibilities of chief security officers.
• Actions required to assess risk.
• Actions required to mitigate risk.
• Security awareness training.
• Testing of security practices and controls.
• Procedures for responding to security issues.
• Procedures for business continuity.
FISMA and NIST
• NIST provides guidance on FISMA that is detailed
and in-depth
• NIST guidance includes:
• Standards for categorizing information and information systems
•
•
•
•
by mission impact.
Standards for minimum security requirements for information and
information systems.
Guidance for selecting appropriate security controls for
information systems.
Guidance for assessing security controls in information systems
and determining security control effectiveness.
Guidance for certifying and accrediting information systems.
NIST FISMA Related Publications
 FIPS Publication 199 (Security Categorization)
 FIPS Publication 200 (Minimum Security Requirements)
 NIST Special Publication 800-18, Rev 1 (Security Planning)
 NIST Special Publication 800-30, Rev 1 (Risk Management)
 NIST Special Publication 800-37 (Certification & Accreditation)
 NIST Special Publication 800-53 Rev 3 (Recommended
Security Controls)
 NIST Special Publication 800-53A Rev 1(Security Control
Assessment)
 NIST Special Publication 800-60 (Security Category Mapping)
FIPS 199, Standards for the Security
Categorization of Federal Information and
Information Systems
 The standard used by federal agencies to categorize
information and information systems based on the
objectives of providing appropriate levels of information
security according to a range of risk levels
 Information systems are categorized as either Low,
Moderate, or High Risk Systems based on the
Confidentiality, Integrity, and Availability security
requirements necessary to protect the data/information
processed, stored, or transmitted by the information
system.
FIPS 200, Minimum Security Requirements for
Federal Information and Information Systems
 Provides minimum information security requirements for
information and information systems in each security
category defined in FIPS 199
 Dictates the requirements to utilize NIST SP 800-53 for
the baseline security control requirements.
NIST SP 800-37 Rev 1, Guide to Apply the Risk
Management Framework to Federal Information
Systems
• Establishes a six-step Risk Management Framework for
Federal Information Systems:
• Categorize the Information System
• Select Security Controls
• Implement Security Controls
• Assess Security Controls
• Authorize the Information System
• Monitor the Security Controls
• Applicable to non-national security information systems
as defined in the Federal Information Security
Management Act of 2002
NIST SP 800-18 Rev 1, Guide for Developing
Security Plans for Federal Information Systems
• Defines the format and content for Security Plans, as
required by OMB Circular No. A-130.
• The Security Plan main functions include:
– Overviewing the system’s security requirements
– Describing the controls in place or planned for meeting those
requirements
– Delineating responsibilities and expected behavior of all
individuals who access the system
– Documenting the structured process of planning adequate, costeffective security protection for the system
NIST SP 800-30 Rev 1, Risk Management Guide
for Information Technology Systems
• Definitional and Practical Guidance regarding concept
and practice of managing IT-related risks
• Risk Management provides balance between operational
objectives and economic costs of protective measures
– better securing of IT systems that store, process, or transmit
organizational information;
– enabling management to make well-informed risk management
decisions to justify the expenditures
– assisting management in authorizing (or accrediting) the IT
systems
NIST SP 800-34 Rev 1, Contingency Planning
Guide For Federal Information Systems
• Provides instructions, recommendations, and
considerations for government IT contingency planning.
• Provides specific contingency planning
recommendations for seven IT platforms
• Strategies and techniques common to all systems
NIST SP 800-53 Rev 3, Recommended Security
Controls for Federal Information Systems and
Organizations
• The purpose of NIST Special Publication 800-53, rev 3 is
to provide guidelines for selecting and specifying
security controls for information systems…
• Applicable to all Federal information systems other than
those systems designated as national security systems
as defined in 44 U.S.C., Section 3542
• Broadly developed from a technical perspective to
complement similar guidelines issued by agencies and
offices operating or exercising control over national
security systems
• Provides guidance to Federal agencies until the
publication of FIPS Publication 200, Minimum Security
Controls for Federal Information Systems
NIST SP 800-53a Rev 1, Guide for Assessing the
Security Controls In Federal Information Systems
• Provides standardized techniques and procedures to
verify the effectiveness of security controls
• Provides a single baseline verification procedure for each
security control in SP 800-53 , rev 3
• Allows additional verification techniques and procedures
to be applied at the discretion of the agency
NIST SP 800-60 Vol I and Vol II, Guide for
Mapping Types of Information and Information
Systems to Security Categories
• Provides guidelines recommending the types of
information and information systems to be included in
each category of potential security impact.
• Assists agencies to map security impact levels in a
consistent manner to types of: (i) information (e.g.,
privacy, medical, proprietary, financial, contractor
sensitive, trade secret, investigation); and (ii)
information systems (e.g., mission critical, mission
support, administrative).
SUMMARY
 Key activities in managing enterprise-level risk—risk
resulting from the operation of an information system:
• Categorize the information system
• Select set of minimum (baseline) security controls
• Refine the security control set based on risk assessment
• Document security controls in system security plan
• Implement the security controls in the information system
• Assess the security controls
• Determine agency-level risk and risk acceptability
• Authorize information system operation
• Monitor security controls on a continuous basis
QUESTIONS?
Security and Privacy Consulting, LLC
larry@securityandprivacyconsulting.com
813-838-2689