The Federal Information Security Modernization Act of 2014 (FISMA) was passed by the Senate on December 8th, by the House on December 10th, and by the President on December 18th. It is a comprehensive bill intended to bring federal agency information security practices into the new millennium – to better respond to evolving cybersecurity threats. FISMA updates the Federal Information Security Management Act of 2002, and provides a comprehensive framework for ensuring the effectiveness of information security controls over federal information operations and assets. It recognizes the highly networked nature of current federal computing environments and the complex task of coordinating information security efforts throughout the civilian, law enforcement and national security communities. It also acknowledges that commercially developed information security products offer effective information security solutions, and that specific information security solutions should be left to individual agencies from among commercially developed products.
FISMA oversight: FISMA reestablishes the oversight authority of the Director of Office of Management and Budget (OMB) with respect to federal agency information security policies and practices. This includes the development and implementation of principles, standards and guidelines pertaining to information security within federal agencies, and coordinating the development of certain standards and guidelines with the National Institute for Standards and Technology (NIST) for use in national security systems. It rests operational responsibility for federal agency information security with the Secretary of the Department of Homeland Security (DHS), and directs the Secretary to consider applicable standards and guidelines developed by NIST. It also requires the Director of OMB, in consultation with the Security of DHS, to annually report to congress on the effectiveness of federal agency information security policies and practices, including a summary of information security incidents, thresholds for reporting major information security incidents, results of information system risk assessments, and agency compliance assessments.
FISMA accountability: The core of FISMA is an outline of information security responsibilities for federal agencies. It places responsibility for information security with each federal agency head, and requires them to provide information security protections commensurate with the risk and magnitude of harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of data or their information systems. It also makes them responsible for complying with the requirements of FISMA, including the security standards issued by NIST, operational directives issued by the Secretary of DHS, policies and procedures issued by the Director of OMB, information standards and guidelines for national security systems directed by the President, and ensuring that information security management processes are integrated with agency budgetary, operational and strategic planning processes. It also requires federal agency heads to ensure that senior agency management implement information security for assets and operations under their control, and that authority is delegated to Chief Information Officers to ensure compliance with FISMA.
FISMA information security program requirements: FISMA outlines the required component parts of each federal agency information security program. These include periodic risk assessments to determine the security posture of an information system. They also include the development and implementation of policies and procedures based on the risk assessments that reduce information security risks to an acceptable level and ensure that information security is addressed throughout the life cycle of each system. Also required is compliance with the standards and guidelines issued by NIST, and the implementation of minimum security configuration standards. Security awareness training is also required to inform personnel, including contractors, of the information security risks associated with their activities, and their responsibilities for complying with agency policies and procedures. Periodic tests and evaluations of the effectiveness of information security policies, procedures and practices, are also required to be done annually. Federal agencies are also required to develop processes for implementing remedial actions to address deficiencies identified in information systems. They must also develop procedures to detect, respond to, and report information security incidents, as well as procedures to ensure the continuity of operations in the event of a security incident.
FISMA annual reports: FISMA requires annual reporting of information security incidents by each federal agency to the Director of OMB, the Secretary of DHS, and various congressional committees. The reports must contain a description of each major security incident; the total number of security incidents, including a description of incidents resulting in significant compromise of information security; a description of major incidents involving a breach of personally identifiable information, including the number of individuals affected and a description of the compromised information. The Director of OMB is to develop guidance on what constitutes a major information security incident.
FISMA annual independent evaluations: FISMA also requires each federal agency to have an independent evaluation of its information security program and practices performed annually. This annual evaluation is to include an assessment of the effectiveness of the security policies, procedures and practices, and testing of the effectiveness of the information security policies, procedures, and practices of a representative subset of the agency’s information systems. The results of this annual evaluation must be submitted to the Director of OMB.
Federal information security incident center: FISMA also requires the operation of a federal information security incident center. FISMA of 2002 required the establishment of such a center, and the United States Computer Emergency Readiness Team (US-CERT) was established within DHS in 2003. It is an arm of the National Cybersecurity and Communications Integration Center (NCCIC) which was codified in the National Cybersecurity Protection Act of 2014. FISMA requires the continued operation of US-CERT to provide timely technical assistance to operators of agency information systems, including guidance on detecting and handling information security incidents. US-CERT is also required to compile and analyze information about incidents that threaten information security, and to share that information with operators of agency information systems. It is also required to consult with NIST and operators of national security information systems regarding information security incidents.
Data breach reporting: FISMA requires the Director of OMB to ensure that federal agency data breach notification policies and guidelines are updated periodically, and that they require notice to various congressional committees expeditiously, but not later than 30 days from the date the agency discovers the unauthorized acquisition or access. The notice must include a description of how the breach occurred; an estimate of the number of individuals affected, including an assessment of the risk of harm to them; a description of any circumstances necessitating a delay in notification, and an estimate of whether and when the notification will be provided to affected individuals. FISMA also requires federal agencies to notify affected individuals as expeditiously as practicable and without unreasonable delay after the agency discovers the unauthorized acquisition or access. Notice may be delayed to individuals if it would disrupt a law enforcement investigation, endanger national security, or hamper security remediation actions.
Streamlined reporting: One of the measures heralded by information security personnel as a key to reform under FISMA, is that the Director of OMB, within one year of the enactment of FISMA, is required to revise Budget Circular A-130 to eliminate inefficient or wasteful reporting. This document has governed federal cybersecurity programs without change for over a decade, and compliance with it is cumbersome and inefficient. Elimination of “inefficient or wasteful” reporting requirements, will enhance the ability of federal agency information security personnel to not only comply with FISMA, but allocate more resources to deploying information security applications to better prevent, detect and respond to information security incidents.