|
|
| Regulations & Compliance |
 prev | index | next  |
 |
FISMA
(Federal Information Security Management Act) |
|
December 2002
http://csrc.nist.gov/sec-cert/
Description
The Federal Information Security Management Act (FISMA), Title III of the E-Government Act which was signed into law in December 2002. It outlines requirements to secure Federal information. Each Federal Agency, including contractors or other organizations who work with the agency, must develop, document, and implement an agency-wide information security program. The National Institute of Standards and Technology (NIST) provides detailed guidance and recommendations encompassing all aspects of information security.
FISMA sections 3544 and 3505 require the following:
- FISMA Sec.3505. (c )(1): The head of each agency shall develop and maintain an inventory of major information systems (including major national security systems) operated by or under the control of such agency.
- FISMA Sec.3505.(c )(2): The identification of information systems in an inventory under this subsection shall include an identification of the interfaces between each such system and all other systems or networks, including those not operated by or under the control of the agency.
- FISMA Sec.3544. (a)(1)(A)(i) & Sec.3547: The application should be protected against unauthorized access, use, disclosure, disruption, modification or destruction of information collected or maintained by the agency.
- FISMA Sec.3544. (a)(1)(A)(ii): The application should be protected against unauthorized access, use, disclosure, disruption, modification or destruction of information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of the agency
- FISMA Sec.3544. (a)(1)(A)(ii): The head of each agency shall be responsible for the information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency
- FISMA Sec.3544. (b): The application must be able to ensure the integrity, confidentiality, authenticity, availability, and non-repudiation of information and information systems supporting agency operations and assets.
- FISMA Sec.3544. (b)(2)(C): Each agency shall develop, document, and implement an agency-wide information security program, ensuring that information security is addressed throughout the life cycle of each agency information system
- FISMA Sec.3544. (b)(2)(D): Each agency shall develop, document, and implement an agency-wide information security program, that includes periodically testing and evaluating information security controls and techniques to ensure that they are effectively implemented.
In other words the following needs to be insured:
1. IT systems Compliance: Requires identification of all systems in use & that access federal information, including validation of their compliance. To help aid agencies in obtaining this, the National Institute of Standards and Technology (NIST) has released a series of guidelines, checklists, and templates that detail acceptable configurations for systems.
2. Regular risk Assessment: Agencies must have an agency-wide information security program that includes controls and checks to ensure effectiveness, including reporting on existing risks and responses.
3. Incident response: The NIST Controls document outlines specific steps to follow and functions to perform depending on the level of threat posed by the environment.
4. Intrusion detection: Requires reporting on cyber security, risks and responses.
5. Boundary protection: Systems and applications should be protected from unauthorized access, both from outside the agency and its contractors, and from within.
6. Compliance Reporting: Requires detailed reporting on FISMA compliance status.
Available guidance to agencies in complying with NIST standards and guidelines: NIST publishes two types of security documents: (i) Federal Information Processing Standards (FIPS); and (ii) Special Publications (800-series guidance). The Federal Information Security Management Act (FISMA) of 2002 requires federal agencies to comply with FIPS. FIPS is mandatory and non-waiverable. The Office of Management and Budget policy (for example, OMB's 2005 FISMA Reporting Guidance) requires federal agencies to comply with NIST Special Publications (800-series guidance). The compliance dates for NIST security standards and guidelines are as follows:
- For legacy information systems, agencies are expected to be in compliance with NIST security standards and guidelines within one year of the final publication date.
- For information systems under development, agencies are expected to be in compliance with NIST security standards and guidelines immediately upon deployment of the information systems.
NIST also produces other types of security-related publications such as inter-agency reports (NISTIRs) and Bulletins. These publications are typically informative in nature unless otherwise stated by OMB or NIST.
Audit Body
The Inspector General performs the necessary Audits (or the independent firm appointed by Inspector General).
Federal agencies must transmit their Fiscal Year reports to the Office of Management and Budget (OMB) by October of each year. OMB uses the reports to help evaluate government-wide security performance, develop its annual security report to Congress, assist in improving and maintaining adequate agency security performance, and inform development of the E-Government Scorecard under the President's Management Agenda. The report must summarize the results of annual IT security reviews of systems and programs, and any progress the agency has made towards fulfilling their FISMA goals and milestones.
Industry Affected
Federal agencies,
contractors or other organizations who work with Federal agencies.
Distributed Taps & FISMA Compliance
1. IT systems Compliance:
Real-time network and asset visibility means that you'll always know what assets are on the network and be able to accurately identify all systems in use and see if they are performing in compliance with the requirements.
2. Risk Assessment:
Greater view into your network helps you to assess potential risks.
3. Incidence Response:
IDS and other monitoring tool messages and alerts can be sent to individuals, or groups, informing them of an incident and prompting action. At the same time, commands can be sent to routers and other network devices blocking an intruders access, or instructions can be passed to a patch management or configuration system.These capabilities address requirements that, having identified a threat, security specialists must work to mitigate the potential for damage and correct out-of-policy situations.
4. Intrusion Detection:
IDS Sensors use a powerful combination of signature, protocol, and anomaly-based inspection methods to achieve maximum attack detection and prevention capability. They are able to detect changes in systems or network activity, such as new services, changes in flows, etc. They also support requirements for activity monitoring to identify security threats and incidents such as external attacks and malicious software.
5. Boundary Protection:
IDS and monitoring ensure network security behind the firewall, including malicious activity originating from within the network.
6. Access Monitoring:
Access controls by monitoring the network for any anomalies or policy violations.
|
|
|
| prev | index | next |
|
