The Government Information Security Reform Act (GISRA) was passed by the United States Congress in 2000 as part of the E-Government Act. The act requires federal agencies to develop and implement information security programs in order to protect government information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
In order to comply with the act, agencies must appoint a Chief Information Officer (CIO) who is responsible for developing and overseeing the agency's information security program. The CIO must also develop and implement information security policies and procedures, and ensure that these policies and procedures are adequate to protect the confidentiality, integrity, and availability of government information and information systems.
In addition, the GISRA requires agencies to conduct risk assessments of their information systems and to develop and implement plans to mitigate these risks. These plans must be reviewed and updated on a regular basis. Agencies must also provide security awareness training for their employees and contractors, and must periodically test and evaluate their information security programs to ensure that they are effective.
What does FISMA cover?
The Federal Information Security Management Act (FISMA) is a United States federal law passed in 2002 as a response to the concerns about the rapidly growing number of attacks on government and private sector computer systems. FISMA requires all federal agencies to develop, document, and implement an information security program that includes risk assessments, security plans, security awareness training, and periodic testing and reporting. FISMA also established the National Cybersecurity Division (NCD) within the Department of Homeland Security (DHS) to help federal agencies implement FISMA and to provide guidance on information security issues.
In general, FISMA covers all information and information systems that are used or operated by federal agencies. This includes everything from email and web servers to databases and mobile devices. FISMA does not, however, cover national security systems, which are subject to a separate set of security requirements.
Who enforces FISMA?
The Federal Information Security Management Act (FISMA) is enforced by the U.S. Office of Management and Budget (OMB). OMB develops and issues guidance for implementing FISMA, and reviews and approves agency information security programs. OMB also conducts periodic evaluations of agency information security programs and reports to Congress on the effectiveness of those programs. In addition, the U.S. Government Accountability Office (GAO) auditors review agency information security programs and report their findings to Congress.
Why was FISMA enacted?
The Federal Information Security Management Act of 2002 (FISMA) was enacted in order to improve the security of information and information systems across the federal government. FISMA establishes a framework for setting and enforcing security standards, and requires each federal agency to develop, implement, and maintain an information security program.
FISMA was prompted by a number of high-profile security breaches, including the theft of a laptop computer containing sensitive data from the Department of Veterans Affairs in 1998, and the release of classified information from the Pentagon's Office of Special Plans in 2001. These and other incidents led to calls for increased security measures at all levels of the federal government.
FISMA has been credited with raising awareness of information security risks and helping to improve the security of federal systems. However, it has also been criticized for being overly prescriptive and for placing too much emphasis on compliance rather than on actually improving security.
What guidelines identifies federal information security controls?
The Federal Information Security Management Act of 2002 (FISMA) is a United States federal law that establishes a comprehensive framework for securing information and information systems used or operated by the federal government.
FISMA requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the agency's operations and assets. The law also requires agencies to periodically report on their progress in meeting these objectives.
In addition, FISMA requires the National Institute of Standards and Technology (NIST) to develop and issue minimum information security standards for federal information and information systems. The law also gives the Department of Homeland Security (DHS) primary responsibility for overseeing agencies' compliance with these standards.
The Office of Management and Budget (OMB) is responsible for issuing guidance to agencies on FISMA implementation, and for overseeing the government-wide information security program.
The following are some of the key guidelines that federal agencies must follow in order to comply with FISMA:
•Develop and implement an information security program that includes risk management activities;
•Develop and implement security policies and procedures;
•Select and implement security controls to protect information and information systems;
•Monitor and report on the effectiveness of security controls; and
•Test and evaluate security controls.