FISMA Compliance Solutions

Background of FISMA—Federal Information Security Management Act, enacted in 2002. Title III of the E-Government Act, entitled the Federal Information Security Management Act (FISMA) (.pdf format), requires each federal agency to maintain and support an agency wide Information Security Program under the guidelines of NIST Special Publication 800-18.

FISMA applies to all organizations that manage the operations and assets of a federal government agency whether that is a federal contractor, another agency or the agency itself. FISMA does not apply to national security systems under the Department of Defense or the Central Intelligence Agency.

Agencies and their contractors must comply with FISMA or funding for agencies can be withheld. Compliance is also an important benchmark in assessing the integrity and security of data held within an agency.

What are the steps to compliance under FISMA.

  • Provide information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification or destruction of agency information or information systems.
  • Ensure that senior agency officials provide information security for the information and information systems that support the operations and assets under the control of the agency.
  • Delegate to the agency CIO the authority to ensure compliance and to set up an office and a head of office within the agency that is responsible for compliance.
  • Ensure that the agency has the required trained personnel sufficient to assist the agency in complying with FISMA.
  • Ensure that annual reports are made from the CIO and senior agency officials to the head of the agency.
Recommended methods for compliancy include:
  • Conduct periodic assessments of the risk and magnitude of the harm that results from security breaches
  • Setting up policies and procedures that reduce information security risk levels.
  • Ensure that information security is addressed throughout the lifecycle of the agency’s information systems.
  • Security awareness training
  • Designing plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency.
  • Annually obtain 3 rd party verification of security program and practices of agency to determine the effectiveness of the program and practices.

Dynamic Compter Corporation’s Network Security Solutions practice can test the vulnerability of your network, provide remediation strategies, perform independent audits, provide business impact assessments to determine risk and offer social engineering to effectively train employees.