What Is FISMA Used For?
FISMA is a law that amended the Federal Information Security Management Act of 2002. As CISA notes on its website, the law does several things to codify responsibilities between OMB and DHS for oversight and implementation of agencies’ cybersecurity policies.
“The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for its information systems and data within to support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source,” a McAfee blog post notes. “According to FISMA, the term ‘information security’ means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.”
As CISA notes, FISMA spells out DHS’s role in “administering the implementation of information security policies for federal Executive Branch civilian agencies, overseeing agencies’ compliance with those policies, and assisting OMB in developing those policies.”
FISMA enables several key actions for advancing federal cybersecurity. The law authorizes DHS to offer federal civilian agencies operational and technical assistance for cybersecurity if agencies request it. The law also puts the federal information security incident center (run by US-CERT) within DHS.
If agencies request it, the law also enables DHS to deploy technology on other agencies’ networks.
Additionally, as CISA notes, FISMA standards also “requires agencies to report major information security incidents as well as data breaches to Congress as they occur and annually,” and “directs OMB to revise policies regarding notification of individuals affected by federal agency data breaches.”
OMB releases an annual report on federal cybersecurity incidents. The report for fiscal year 2020, the most recent available, showed that agencies reported 30,819 cybersecurity incidents in FY 2020, an 8 percent increase over the 28,581 incidents that agencies reported in FY 2019. “This trend highlights the ever-increasing threats within the digital landscape and the need for the Federal Government to take action to reduce the impact of cybersecurity incidents,” the report notes.
What Does FISMA Compliance Mean?
As the National Institute of Standards and Technology notes, FISMA requires civilian agencies to “provide information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction” either information collected or maintained by or on behalf of an agency, or information systems “used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency.”
Federal agencies also need to comply with the information security standards and guidelines and mandatory required standards developed by NIST. FISMA applies not just to federal agencies but to contractors or other sources that “provide information security for the information and information systems that support the operations and assets of the agency,” NIST notes.
- Maintain an inventory of IT systems. Every federal agency must “keep an inventory of information systems that the agency controls or operates, as well as an inventory of the interdependencies between those systems and interdependencies between internal systems and systems outside agency control. This includes systems within an agency’s encrypted cloud.”
- Categorize data and systems according to risk level. Agencies are required to categorize all of their data and IT systems under different impact levels — low, medium and high — following guidance from NIST. A high-impact system “contains information where it has been determined that a loss or compromise of such information would present a grave risk to the U.S. government. An agency’s encrypted cloud environment must be categorized as well.”
- Maintain a system security plan. All agencies “must develop and maintain a plan — officially known as a System Security Plan, or SSP — that defined how the agency will implement security controls,” SolarWinds notes, adding that the plan must be updated regularly and include a plan of action and milestones.
- Use security controls. NIST defines minimum federal security requirements in the FIPS Publication 200, “Minimum Security Requirements for Federal Information and Information Systems.” Under FISMA, agencies must “first select the appropriate security controls and assurance requirements as described in NIST Special Publication 800-53, based on mission requirements. Agencies then document those security controls in the SSP and apply accordingly,” SolarWinds notes.
- Conduct risk assessments. Agencies need to conduct risk assessments to validate their security plans and use those assessments to “determine if additional controls are necessary to provide extra protection for any information or IT systems.”
- Certification and accreditation. “After documentation and risk assessment are complete, agencies must then certify that security controls function properly,” SolarWinds notes. “Once this certification is complete, the information system is ‘accredited.’ The certification and accreditation process is defined in NIST SP 800-37.”
- Conduct continuous monitoring. After all of this, agencies need to monitor their systems to “detect abnormalities, and perform security impact analyses, ongoing assessment of security controls, status reporting, etc.”
How Might FISMA Be Reformed?
In October, the Senate Homeland Security and Governmental Affairs Committee voted unanimously to advance to the full Senate consideration of a bill to reform FISMA.
The bill, from Sens. Gary Peters and Rob Portman, would make several changes to FISMA. As FCW reports, the bill would put OMB “at the center of policymaking on cybersecurity for civilian agencies and gives CISA the lead role in implementing cybersecurity operations,” while the national cyber director would be “responsible for developing the overall cybersecurity strategy of the United States and advising the President on matters relating to cybersecurity.”
The bill would require leaders of federal agencies to notify Congress of cybersecurity breaches within five days of an incident occurring. As FedScoop reports, the bill would require agency leaders to “carry out an initial analysis of an incident — and where necessary inform citizens that their data has been compromised — within 30 days” and mandate that “federal IT leaders provide a briefing on the threat within seven days.”
“This bipartisan bill provides the security the American people deserve and the accountability necessary to resolve longstanding weaknesses in federal cybersecurity by clarifying roles and responsibilities and requiring the government to quickly inform the American people if their information is compromised,” Portman said in an October statement.
Additionally, the bill would mandate that agencies use penetration testing “when and where appropriate” to monitor systems, according to FCW, especially high-value assets. The rules for such testing and the results would need to be shared with CISA and OMB, “without regard to the status of the entity that performs the penetration testing.”