PDF
version
of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The
reader is available for free
download.

Federal Information
Security Modernization Act

by Faulkner Staff

Copyright 2019, Faulkner Information Services. All
Rights Reserved.

Docid: 00011143

Publication Date: 1906

Report Type: TUTORIAL

Preview

The Federal Information Security Management Act of 2002 (FISMA) was a
living – and frequently changing – document intended to provide a
comprehensive framework for US federal government agencies to improve
security. These changes are evident in the Federal Information
Modernization Act of 2014 (Public Law 113-283). This law changes oversight
of governmental security and introduces new legislative requirements
designed to reduce the amount of reporting and inefficient activity that
was associated with the original FISMA. FISMA is designed to adapt to
changing technologies, which presents challenges for organizations wishing
to contract goods and services with the US federal government. In order to
ensure FISMA compliance, the National Institute of Standards and
Technology provides detailed guidance and recommendations.

Report Contents:

• Executive Summary
• Description
• Current View
• Recommendations
• Web Links

Executive Summary

[return to top of this
report]

The Federal Information Security Management Act (FISMA) was passed as
part of the Homeland Security Act of 2002 and the E-Government Act (E-GA)
of 2002. It was further updated to become the Federal Information Security
Modernization Act of 2014. The act requires every government agency to
secure the information and information systems that support its operations
and assets, including those provided by other agencies, contractors, or
other sources. The updates to the act move the authority to administer the
implementation of those policies to the Department of Homeland Security
(DHS) and re-establish the oversight authority for the Director of the
Office of Management and Budget (OMB) with respect to agency information
security policies and practices. Since taking over authority for the act,
OMB is doing away with requirements of the original 2002 act that have
been superseded by the 2014 update.

FISMA policies are designed to protect government information systems
from being compromised by network attacks. It also serves to help federal
agencies define security baselines, embed security within IT initiatives,
and establish uniform criteria for security planning, testing, and
evaluation. Although FISMA is only applicable to the government sector,
the approach to compliance can also be useful for the private sector.

According to the USA Patriot Act (P.L. 107-56), it is necessary to
protect “systems and assets, whether physical or virtual, so vital to the
United States that the incapacity or destruction of such systems and
assets would have a debilitating impact on national security, national
economic security, national public health and safety, or any combination
of those matters.” The National Institute of Standards and Technology
(NIST) is tasked with developing the security standards and guidance
necessary for federal agencies and contractors to demonstrate compliance
with the legislation. NIST engaged in a multi-year effort to accomplish
the goals and objectives of the legislation.

1. Phase I: Development of FISMA-related security standards and
   guidelines, which was completed by the end of 2012.
2. Phase II: Development of a credentialing program for security
   assessment service providers. This phase began in 2007 and was also
   completed by the end of 2012.

As of this printing, NIST has developed two major FISMA security
standards:

1. The Federal Information Processing Standard (FIPS) 199: Standards for
   Security Categorization of Federal Information and Information Systems
2. The Federal Information Processing Standard (FIPS)
   200:Minimum-SecurityRequirements for Federal Information and Information
   Systems

NIST has also developed numerous FISMA security guidance documents,
including:

PHASE I

1. FIPS Publication 199, Standards for Security Categorization of Federal
   Information and Information Systems (Final)
2. FIPS Publication 200, Minimum Security Requirements for Federal
   Information and Federal Information Systems (Final)
3. NIST Special Publication 800-18, (Revision 1) Guide for
   Developing Security Plans for Federal Information Systems and
   Organizations (Final)
4. NIST Special Publication 800-30, (Revision 1) Risk
   Assessment Guideline (Completion December 2010)
5. NIST Special Publication 800-37, Guide for the Security Certification
   and Accreditation of Federal Information Systems (Final)
6. NIST Special Publication 800-37 (Revision 1) (Revision Cycle)
   Guide for Security Authorization of Federal Information Systems: A
   Security Life Cycle Approach (Completion June 2009)
7. NIST Special Publication 800-39, Managing Information Security Risk:
   Organization, Mission, and Information System View (Final)
8. NIST Special Publication 800-53 (Revision 4) Security and
   Privacy Controls for Federal Information Systems and Organizations
   (Final)
9. NIST Special Publication 800-53, (Revision 3) Recommended
   Security Controls for Federal Information Systems (Final)
10. NIST Special Publication 800-53A (Revision 1), Guide for
    Assessing the Security Controls in Federal Information Systems and
    Organizations, Building Effective Security Assessment Plans (Final)
11. NIST Special Publication 800-59, Guideline for Identifying an
    Information System as a National Security System (Final)
12. NIST Special Publication 800-60, (Revision 1) Guide for
    Mapping Types of Information and Information Systems to Security
    Categories (Final)
13. NIST Special Publication 800-128 Guide for Security-Focused
    Configuration Management of Information Systems (Final)
14. NIST Special Publication 800-137 Information Security Continuous
    Monitoring for Federal Information Systems and Organizations (Final)

PHASE II

1. NISTIR 7328. Security Assessment Provider Requirements and Customer
   Responsibilities; Building a Security Assessment Credentialing Program
   (Revision Cycle)
2. FAQs and QSGs (Quick Start Guides) for Risk Management Framework
   Steps: Categorize, Select, Implement, Assess, Authorize, Monitor;
   Training Module
3. On-line Course Available: Applying the Risk Management Framework
   to Federal Information Systems

NIST has developed a FISMA Risk Management Framework designed to do the
following:

• Categorize the information system along with the information
  processed, stored, and transmitted by that system based upon impact
  analysis.
• Select an initial set of baseline security controls for the
  information system based on the security categorization; tailoring and
  supplementing the security control baseline as needed based on
  organization assessment of risk and local conditions.
• Implement the security controls and document how the controls are
  deployed within the information system and environment of operation.
• Assess the security controls using appropriate procedures to determine
  the extent to which the controls are implemented correctly, operating as
  intended, and producing the desired outcome with respect to meeting the
  security requirements for the system.
• Authorize information system operation based upon a determination of
  the risk to organizational operations and assets, individuals, other
  organizations and the Nation resulting from the operation of the
  information system and the decision that this risk is acceptable.
• Monitor and assess selected security controls in the information
  system on an ongoing basis including assessing security control
  effectiveness, documenting changes to the system or environment of
  operation, conducting security impact analyses of the associated
  changes, and reporting the security state of the system to appropriate
  organizational officials.

Additional changes to FISMA 2014 include:

• Requires for DHS to develop and oversee implementation of operational
  directives requiring agencies to implement the OMB’s standards and
  guidelines for safeguarding federal information and systems from a known
  or reasonably suspected information security threat, vulnerability, or
  risk. Authorizes the OMB to revise or repeal operational directives that
  are not in accordance with the OMB’s policies.
• Requires DHS to ensure the operation of the Federal Information
  Security Incident Center (FISIC).
• Directs DHS to administer procedures to deploy technology, upon
  request by an agency, to assist the agency to continuously diagnose and
  mitigate against cyber threats and vulnerabilities.
• Requires the OMB’s annual report to Congress regarding the
  effectiveness of information security policies to assess agency
  compliance with OMB data breach notification procedures.
• Provides for OMB’s information security authorities to be delegated to
  the Director of National Intelligence (DNI) for certain systems operated
  by an element of the intelligence community.
• Directs DHS to consult with and consider guidance developed by the
  National Institute of Standards and Technology (NIST) to ensure that
  operational directives do not conflict with NIST information security
  standards.
• Directs agency heads to ensure that:
  • Information security management processes are integrated with
    budgetary planning;
  • Senior agency officials, including chief information officers,
    carry out their information security responsibilities; and
  • All personnel are held accountable for complying with the
    agency-wide information security program.
• Provides for the use of automated tools in agencies’ information
  security programs, including for periodic risk assessments, testing of
  security procedures, and detecting, reporting, and responding to
  security incidents.
• Requires agencies to include offices of general counsel as recipients
  of security incident notices. Requires agencies to notify Congress of
  major security incidents within seven days after there is a reasonable
  basis to conclude that a major incident has occurred.
• Directs agencies to submit an annual report regarding major incidents
  to OMB, DHS, Congress, and the Comptroller General (GAO). Requires such
  reports to include:
  • Threats and threat actors, vulnerabilities, and impacts;
  • Risk assessments of affected systems before, and the status of
    compliance of the systems at the time of, major incidents;
  • Detection, response, and remediation actions;
  • The total number of incidents; and
  • A description of the number of individuals affected by, and the
    information exposed by, major incidents involving a breach of
    personally identifiable information.
• Authorizes Government Accountability Office (GAO) to provide technical
  assistance to agencies and inspectors general, including by testing
  information security controls and procedures.
• Requires OMB to ensure the development of guidance for:
  • Evaluating the effectiveness of information security programs and
    practices, and
  • Determining what constitutes a major incident.
• Directs FISIC to provide agencies with intelligence about cyber
  threats, vulnerabilities, and incidents for risk assessments.
• Directs OMB, during the two-year period after enactment of this Act,
  to include in an annual report to Congress an assessment of the adoption
  by agencies of continuous diagnostics technologies and other advanced
  security tools.
• Requires OMB to ensure that data breach notification policies require
  agencies, after discovering an unauthorized acquisition or access, to
  notify:
  • Congress within 30 days, and
  • Affected individuals as expeditiously as practicable. Allows the
    Attorney General, heads of elements of the intelligence community,
    or the DHS Secretary to delay notice to affected individuals for
    purposes of law enforcement investigations, national security, or
    security remediation actions.
• Requires OMB to amend or revise OMB Circular A-130 to eliminate
  inefficient and wasteful reporting.
• Directs the Information Security and Privacy Advisory Board to advise
  and provide annual reports to DHS.

NIST publications are roadmaps that federal agencies can use to ensure
security practices are enforced. Federal Information Processing Standards
(FIPS), however, must be implemented exactly as they are written with no
agency interpretation allowed. And all federal agencies must follow the
published NIST standards and guidelines.

Description

[return to top of this
report]

The legislation (Public Law 107-347, Title III) states that “each federal
agency shall develop, document, and implement an agency-wide information
security program to provide information security for the information and
information systems that support the operations and assets of the agency,
including those provided or managed by another agency, contractor, or
other source.”

The specific objectives of the legislation are to:

• Provide a comprehensive framework to ensure that effective security
  controls are placed over the information systems that support federal
  agencies.
• Recognize the complexity of the IT environment in federal agencies and
  ensure the effective management of information security risks.
• Require the development and maintenance of minimum controls for the
  protection of federal information systems.
• Provide a mechanism for improved oversight of information security
  programs.
• Acknowledge that commercially developed information security solutions
  are available for the protection of critical information
  infrastructures.
• Recognize that each federal agency should be able to make individual
  selections of specific hardware and software pertaining to information
  security.

All agencies required to comply with the Paperwork Reduction Act (PRA)
(PRA 44 USC 3501-3520) must implement the requirements of FISMA and report
both quarterly and annually to the Office of Management and Budget (OMB),
which acts as FISMA’s oversight body as well as to Congress on the
effectiveness of their information security policies, procedures, and
practices.

Agencies are required to report any significant deficiencies in these
areas in order to track key IT security weaknesses. Additionally, it is
mandatory that all agencies implement processes to measure IT security
progress.

To meet reporting requirements, every year, the Chief Information
Officers (CIOs), Chief Information Security Officers (CISOs), and agency
Inspectors General at the 24 largest federal agencies are asked to answer
questions concerning the processes and policies they use to secure federal
computer systems and comply with FISMA. The questions roughly fall into
one of seven categories, including the following:

Annual Testing

• What percentage of agency programs and systems has the CIO and/or
  agency Inspectors General reviewed this year for security
  vulnerabilities?
• Describe the degree to which agency program officials and the agency
  CIO have used appropriate methods in the past fiscal year to ensure that
  contractor or agency provided services are adequately secure and meet
  policy requirements.
• Describe the degree to which the agency used NIST’s self-assessment
  guide or equivalent methodology this year to conduct security reviews.
• Has the agency appointed senior information security officer who
  reports directly to the CIO?

Plan of Action and Milestones

• Has the agency developed a Plans of Action and Milestones (POA&M)
  for each significant security deficiency identified in the past fiscal
  year?
• Has the agency developed, implemented, and managed an agency-wide
  POA&M process that includes incorporating known IT security
  weaknesses into the POA&M?

Certification & Accreditation

• What percent of systems has been certified and accredited, has
  integrated the costs of security controls into the systems’ lifecycles,
  has been tested for security controls in the past fiscal year, and has a
  contingency plan that has been tested in the past fiscal year?
• Has the agency integrated its information and information technology
  security program with its critical infrastructure protection
  responsibilities and other security programs (e.g., continuity of
  operations, and physical and operational security)?

Configuration Management

• Has the CIO implemented agency-wide policies that require detailed
  security configurations?
• What percentage of systems have received these configurations for
  programs such as Microsoft Windows variations, Solaris, HP, Linux, Cisco
  routers, Oracle, and others?

Incident Detection and Response

• Does the agency have documented policies and procedures for reporting
  security incidents internally, to law enforcement authorities, and to
  the US Computer Emergency Readiness Team (US-CERT)?
• What percentage of systems has undergone vulnerability scans and
  penetration tests in the past fiscal year?

Training

• Has the agency CIO ensured security training and awareness of all
  agency employees, including contractors and those employees with
  significant IT security responsibilities?

Inventory

• Has the CIO created an inventory of agency systems and updated it
  annually, including reaching an agreement with the Inspector General on
  the number of programs, systems, and contractor operations?

NIST has created FISMA implementation tips that can help federal agencies
perform a successful implementation, including:

• Conduct FIPS 199 impact analyses as a corporate-wide exercise with the
  participation of key officials (e.g., Chief Information Officer, Senior
  Agency Information Security Officer, Authorizing Officials, and System
  Owners).
• Conduct the selection of common security controls (i.e., agency
  infrastructure-related controls or controls for common hardware/software
  platforms) as a corporate-wide exercise with the participation of key
  officials (e.g., Chief Information Officer, Senior Agency Information
  Security Officer, Authorizing Officials, and System Owners).
• For each security control baseline (low, moderate, or high) identified
  in NIST Special Publication 800-53, apply the tailoring guidance to
  adjust set of controls to meet the specific operational requirements of
  the agency.
• For each tailored security control baseline, supplement the security
  controls with additional controls and/or control enhancements based on
  the results of an organizational assessment of risk.

In addition, the Continuous Diagnostics and Mitigation (CDM) program,
developed by the Department of Homeland Security (DHS) is designed to
support FISMA efforts through a six-phase process, designed to be executed
within 72 hours.

1. Install/Update Sensors: To determine what exists on a
   network.
2. Automated Search for Flaw: To highlight weaknesses.
3. Collect Results from Departments and Agencies: To
   gather all data into one place, allowing for a singular view.
4. Triage and Analyze Results: To determine a course of
   action for response and protection.
5. Fix Worst First: To repair vital risks immediately.
6. Report Progress: To share results under FISMA and
   other cybersecurity requirements.

The program is designed to be an ongoing program that is supported by
changes to technology acquisition requirements to help agencies move to
modernized levels of security.

Current View

[return to top of this
report]

Information security plays an integral role in the overall operations of
agencies that meet FISMA compliance standards. The Paperwork Reduction Act
effectively moved the federal government from a paper-based system to one
that has different requirements for information security. Each specific
agency is responsible for the identification and implementation of
security controls that pertain to it. This is done in collaboration with
the CIO, authorizing officials, information system owners, system security
managers, and system security officers. Therefore, every federal CIO is
responsible for ensuring the security of information within their agency
and they usually do so with the advice of their agency CISO.

Every year, the House Government Reform Committee generates its Federal
Information Security Report Card. The grades are primarily based on
reports submitted by agencies to the OMB through FISMA.

The Federal Audit Executive Council has established a FISMA Working Group
for the Inspector General’s community in an attempt to promote interagency
coordination of information security and evaluation requirements
established by FISMA. Their goal is to provide FISMA training and update
conferences, offer a forum for lessons learned, and to coordinate issues
and initiatives that cross agency lines.

The private sector is responding as well. In an attempt to meet the needs
of federal agencies, some commercial vendors are supplying tools that
purport to help. Symantec, for example, offers its Symantec Enterprise
Security Manager as well as its Control Compliance Suite, which provide
specific, pre-configured security policies, intended to allow government
agencies to audit their environments for compliance. The package performs
more than 2,000 different security and vulnerability checks to measure
whether systems and applications are configured properly, and attempts to
discover un-patched vulnerabilities in an attempt to contain and
re-mediate them.

To be sure, FISMA compliance is rife with pitfalls. Newer technologies
pose challenges for all users, not just federal agencies. Inspectors
generally find it difficult to keep up with technological changes – they
are after all inspectors and auditors and not technicians or
technologists. The need to ensure that contractors and other providers are
compliant with FISMA presents agencies with an additional burden outside
of the tasks they currently have internally.

There are a lot of critics of FISMA. Many lawmakers say that FISMA wastes
time and money, since officials are required to fill out tedious reports
to ensure their agencies are compliant. In 2010, legislation was
introduced that would provide a refresh of FISMA. Part of the bill, H.R.
4900, recommends that a permanent official be named by the President to a
position that oversees cybersecurity compliance. The government has taken
a few steps to automate FISMA: agencies have been instructed to stop
sending paper-based reports and now will begin submitting reports
electronically via secure monitoring systems.

Reform bills for existing FISMA standards were introduced and adopted
during 2012, as well. These bills are designed to move FISMA from being a
check-list type program to being a risk-based program that is agile enough
to respond to a real threat in real time. Under the bill, each department
secretary and agency director is held accountable for their organization’s
IT security. Although most federal agencies have chief information
security officers to coordinate IT security activities, the new
FISMA legislation requires them to have CISOs to develop,
implement and oversee agency-wide IT security programs. The bill also
requires each CISO to have the “necessary qualifications” that include
education, training, experience and security clearance.

The Federal Information Security Amendments Act of 2013 was introduced in
April of 2013 to “reestablish the oversight authority of the Director of
the Office of Management and Budget (OMB) with respect to agency
information and security policies and practices.” This amendment extends
the security requirements of federal agencies to include responsibilities
for:

1. Complying with computer standards developed by NIST.
2. Ensuring complementary and uniform standards for information systems
   and national security systems.
3. Ensuring that information security management processes are integrated
   with budget processes.
4. Securing facilities for classified information.
5. Maintaining sufficient personnel with security clearances.
6. Ensuring that information security performance indicators are included
   in the annual performance evaluations of all managers, senior managers,
   senior executive service personnel, and political appointees.

Recommendations

[return to top of this
report]

Government agencies required to comply with FISMA compliance should use
the National Institute of Standards and Technologies for guidance on
control frameworks, security categorization, and asset clarification.

Government contractors, particularly those responsible for managing
federal information systems and their associated data, need to be
attentive to the requirements under FISMA because in the long run if the
agency fails FISMA compliance and a contractor is heavily involved in
providing day-to-day support, the contractor fails as well.

State and local agencies that use federal information systems also need
to be compliant with FISMA. In fact, all organizations which possess or
use federal information or which operate, use, or have access to federal
information systems on behalf of a federal agency must comply.

Additionally, equipment suppliers and other vendors may also be required
to comply. FISMA applies to federal information, as well as information
systems and in certain limited circumstances its requirements also apply
to a specific class of information technology, i.e., “equipment that is
acquired by a Federal contractor incidental to a Federal contract.” In
these cases when federal information is used within incidentally acquired
equipment, the agency is responsible for ensuring that FISMA requirements
are met. That burden will then fall on the supplier to meet their end of
the bargain.

In the end, in addition to federal agencies, contractors, and other
sources should test their own organizations against FISMA reporting
requirements, become familiar with, and comply with NIST publications and
guidance.

Web Links

[return to top of this
report]

• Continuous Diagnostics and Mitigation Program: https://www.us-cert.gov/cdm/home
• Federal Chief Information Officers Council: http://www.cio.gov/
• Federal Information Security Management Act: http://csrc.nist.gov/drivers/documents/FISMA-final.pdf
• Federal Information Security Modernization Act (2014): https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf
• NIST – National Institute of Standards and Technology: http://www.nist.gov/
• Symantec: http://www.symantec.com

[return to top of this
report]