FISMA


Jurisdiction of this law:
USA

Type of Rule:
Law

Popular name:
FISMA

Official name:
To strengthen Federal Government information security, including through the requirement for the development of mandatory information security risk management standards.

Other names:
H.R.3844, Federal Information Security Management Act of 2002

For more information:
Computer Security Resource Center (CSRC) site:
http://csrc.nist.gov/sec-cert/index.html

AICPA site:
http://infotech.aicpa.org/Resources/

Official Library of Congress site:
http://thomas.loc.gov/cgi-bin/bdquery/z?d107:h.r.03844

Report: USA reports bad FISMA report card with details:
 http://blogs.usatoday.com/oped/2007/05/post_15.html

Spring, 2007 report from the US Congress' Government Accountability Office report,  http://www.gao.gov/new.items/d07751t.pdf saying that 21 of 24 major agencies had "significant weaknesses" in information security controls, putting data at risk (PDF):
http://www.gao.gov/new.items/d07751t.pdf

"Report Card" on data security issued by Rep. Tom Davis, R-Va., of the House Oversight and Government Reform Committee, in which Seven Cabinet-level agencies - including the Defense Department and Treasury Department (home to the IRS) - got failing grades (PDF):
http://republicans.oversight.house.gov/Media/PDFs/FY06FISMA.pdf


Description:
FISMA defines three security objectives for information and information systems (Confidentiality, Integrity and Availability) and  requires every government agency to secure the information and information systems that support its operations and assets, including those provided or managed by another agency, contractor, or other source.

Controls:
The National Institute of Standards and Technology (NIST) has presented control categories designed to satisfy FISMA requirements. (See NIST document SP 800-53: Recommended Security Controls for Federal Information Systems and Organizations)

SP 800-53 Controls

Access Control (AC)
AC-1: Access Control Policy and Procedures
AC-2: Account Management
AC-3: Access Enforcement
AC-4: Information Flow Enforcement
AC-5: Separation of Duties
AC-6: Least Privilege
AC-7: Unsuccessful Login Attempts
AC-8: System Use Notification
AC-9: Previous Logon Notification
AC-10: Concurrent Session Control
AC-11: Session Lock
AC-12: Session Termination
AC-13: Supervision and Review - Access Control
AC-14: Permitted Actions without Identification or Authentication
AC-15: Automated Marking
AC-16: Automated Labeling
AC-17: Remote Access
AC-18: Wireless Access Restrictions
AC-19: Access Control for Portable and Mobile Devices
AC-20: Use of External Information Systems

Awareness and Training (AT)
AT-1: Security Awareness and Training Policy and Procedures
AT-2: Security Awareness
AT-3: Security Training
AT-4: Security Training Records
AT-5: Contacts with Security Groups and Associations

Audit and Accountability (AU)
AU-1: Audit and Accountability Policy and Procedures
AU-2: Auditable Events
AU-3: Content of Audit Records
AU-4: Audit Storage Capacity
AU-5: Response to Audit Processing Failures
AU-6: Audit Monitoring, Analysis, and Reporting
AU-7: Audit Reduction and Report Generation
AU-8: Time Stamps
AU-9: Protection of Audit Information
AU-10: Non-repudiation
AU-11: Audit Record Retention

Certification, Accreditation, and Security Assessments (CA)
CA-1: Certification, Accreditation, and Security Assessment Policies and Procedures
CA-2: Security Assessments
CA-3: Information System Con
CA-4: Security Certification
CA-5: Plan of Action and Milestones
CA-6: Security Accreditation
CA-7: Continuous Monitoring

Configuration Management (CM)
CM-1: Configuration Management Policy and Procedures
CM-2: Baseline Configuration
CM-3: Configuration Change Control
CM-4: Monitoring Configuration Changes
CM-5: Access Restrictions for Change
CM-6: Configuration Settings
CM-7: Least Functionality
CM-8: Information System Component Inventory

Contingency Planning (CP)
CP-1: Contingency Planning Policy and Procedures
CP-2: Contingency Plan
CP-3: Contingency Training
CP-4: Contingency Plan Testing and Exercises
CP-5: Contingency Plan Update
CP-6: Alternate Storage Site
CP-7: Alternate Processing Site
CP-8: Telecommunications Services
CP-9: Information System Backup
CP-10: Information System Recovery and Reconstitution

Identification and Authentication (IA)
IA-1: Identification and Authentication Policy and Procedures
IA-2: User Identification and Authentication
IA-3: Device Identification and Authentication
IA-4: Identifier Management
IA-5: Authenticator Management
IA-6: Authenticator Feedback
IA-7: Cryptographic Module Authentication

Incident Response (IR)
IR-1: Incident Response Policy and Procedures
IR-2: Incident Response Training
IR-3: Incident Response Testing and Exercises
IR-4: Incident Handling
IR-5: Incident Monitoring
IR-6: Incident Reporting
IR-7: Incident Response Assistance

Maintenance (MA)
MA-1: System Maintenance Policy and Procedures
MA-2: Controlled Maintenance
MA-3: Maintenance Tools
MA-4: Remote Maintenance
MA-5: Maintenance Personnel
MA-6: Timely Maintenance

Media Protection (MP)
MP-1: Media Protection Policy and Procedures
MP-2: Media Access
MP-3: Media Labeling
MP-4: Media Storage
MP-5: Media Transport
MP-6: Media Sanitization and Disposal

Physical and Environmental Protection (PE)
PE-1: Physical and Environmental Protection Policy and Procedures
PE-2: Physical Access Authorizations
PE-3: Physical Access Control
PE-4: Access Control for Transmission Medium
PE-5: Access Control for Display Medium
PE-6: Monitoring Physical Access
PE-7: Visitor Control
PE-8: Access Records
PE-9: Power Equipment and Power Cabling
PE-10: Emergency Shutoff
PE-11: Emergency Power
PE-12: Emergency Lighting
PE-13: Fire Protection
PE-14: Temperature and Humidity Controls
PE-15: Water Damage Protection
PE-16: Delivery and Removal
PE-17: Alternate Work Site
PE-18: Location of Information System Components
PE-19: Information Leakage

Planning (PL)
PL-1: Security Planning Policy and Procedures
PL-2: System Security Plan
PL-3: System Security Plan Update
PL-4: Rules of Behavior
PL-5: Privacy Impact Assessment
PL-6: Security-Related Activity Planning

Personnel Security (PS)
PS-1: Personnel Security Policy and Procedures
PS-2: Position Categorization
PS-3: Personnel Screening
PS-4: Personnel Termination
PS-5: Personnel Transfer
PS-6: Access Agreements
PS-7: Third-Party Personnel Security
PS-8: Personnel Sanctions

Risk Assessment (PA)
RA-1: Risk Assessment Policy and Procedures
RA-2: Security Categorization
RA-3: Risk Assessment
RA-4: Risk Assessment Update
RA-5: Vulnerability Scanning

System and Services Acquisition (SA)
SA-1: System and Services Acquisition Policy and Procedures
SA-2: Allocation of Resources
SA-3: Life Cycle Support
SA-4: Acquisitions
SA-5: Information System Documentation
SA-6: Software Usage Restrictions
SA-7: User Installed Software
SA-8: Security Engineering Principles
SA-9: External Information System Services
SA-10: Developer Configuration Management
SA-11: Developer Security Testing

System and Communications Protection (SC)
SC-1: System and Communications Protection Policy and Procedures
SC-2: Application Partitioning
SC-3: Security Function Isolation
SC-4: Information Remnance
SC-5: Denial of Service Protection
SC-6: Resource Priority
SC-7: Boundary Protection
SC-8: Transmission Integrity
SC-9: Transmission Confidentiality
SC-10: Network Disconnect
SC-11: Trusted Path
SC-12: Cryptographic Key Establishment and Management
SC-13: Use of Cryptography
SC-14: Public Access Protections
SC-15: Collaborative Computing
SC-16: Transmission of Security Parameters
SC-17: Public Key Infrastructure Certificates
SC-18: Mobile Code
SC-19: Voice Over Internet Protocol
SC-20: Secure Name/Address Resolution Service (Authoritative Source)
SC-21: Secure Name/Address Resolution Service (Recursive or Caching Resolver)
SC-22: Architecture and Provisioning for Name/Address Resolution Service
SC-23: Session Authenticity

System and Information Integrity (SI)
SI-1: System and Information Integrity Policy and Procedures
SI-2: Flaw Remediation
SI-3: Malicious Code Protection
SI-4: Information System Monitoring Tools and Techniques
SI-5: Security Alerts and Advisories
SI-6: Security Functionality Verification
SI-7: Software and Information Integrity
SI-8: Spam Protection
SI-9: Information Input Restrictions
SI-10: Information Accuracy, Completeness, Validity, and Authenticity
SI-11: Error Handling
SI-12: Information Output Handling and Retention


Copyright 2004-2010 The Data Governance Institute, LLC. All Rights Reserved
The site is brought to you in partnership with the Business Intelligence Network

DGI Header
GwenThomas
Data Governance.com
DataGovernance.com is an affiliate of BeyeNETWORK
Home

About Data Governance

Data Laws

- International Rules

- State Laws

- Federal Laws

- Federal Credit Laws

- UK and Canadian Laws

- Privacy Resources

- Caifornia Security Breach Notification Law

- Security Breaches


Back to USA Federal Laws