Is Your IT System FISMA Compliant for 2020?
Title III of the E-Government Act of 2002, known as the Federal Information Security Management Act (FISMA), is a comprehensive framework for securing federal government information technology (IT). FISMA provides a set of specific guidelines for federal agencies and their contractors on how to plan for, budget, implement, monitor, and maintain secure systems.
The Federal Information Security Management Act (FISMA) requires federal agencies to improve the security of IT systems, applications, and databases. Each federal agency must develop, document, and implement a program to provide security for the data and IT systems that support its operations and assets. Technology-based controls include access control, identification and authentication, audit and accountability, encryption, and system and communications protection.
FISMA compliance is a matter of national security, and therefore is scrutinized at the highest level of government. All federal agencies receive an annual grade for their FISMA compliance programs these "report cards" are made public and are available on the Internet.
FISMA compliance involves identifying and classifying critical IT assets, assessing risk, and implementing security controls on IT systems and networks. The challenge of FISMA is that IT systems are increasing in complexity, as are the sophistication of cyber attacks.
FISMA IT Asset Inventory
A basic requirement of FISMA compliance is an inventory of all IT hardware and software assets stored in a database. The IT inventory should contain the following information for each piece of hardware and software in your organization:
Description of asset
Date of purchase or lease
Date of deployment
Date of last upgrade performed
Record of service
Maintenance and repairs performed
Customization or modifications performed
Disposition (recycle, disposal, resale)
FISMA Compliance: 8-Step Process
The following eight step process for acheiving FISMA compliance is derived from NIST documentation for has proposed the following increasing the security of federal IT systems. The security controls set forth by COBIT combined with the infrastructure processes of ITIL provides an effective framework for FISMA compliance.
1. Create an IT hardware & software inventory.
2. Perform a Gap Analysis to establish security controls baseline.
3. Perform a Risk Assessment of security controls .
4. Create a security system plan and documentation.
5. Implement and deploy the security controls.
6. Perform an audit of the security controls to determine effectivness.
7. Perform corrective actions as needed.
8. Monitor security controls on continual basis.