What is FISMA and How Does it Apply to My OrganizationLegal Compliance Resource
November 4, 2013 — 1,064 views
FISMA is an acronym for Federal Information Security Management Act. It is a federal law that was enacted to ensure that companies follow necessary guidelines to safeguard and protect their information and intellectual property.
FISMA Standards are enacted by national bodies such as the NIST, the National Institute of Standards and Technology. The NIST has the responsibility of developing standards, metrics, tests and protocols which are to be used for the implementation of FISMA. Local administrators should regularly check with NIST and its updated standards and should tailor their policy accordingly.
The FISMA framework has several guidelines and advisory policies. The FISMA requires authorities to develop and maintain an inventory of information systems. The inventory should include and store the entire necessary infrastructure for the use and dissemination of information.
The FISMA requires authorities to categorize information and information systems according to their risk level. The risk level varies from low to high. It is the responsibility of the administrators to judge the risk level accurately. Once categorized, it becomes difficult to change the risk level of the information system. FISMA requires authorities to institute several security controls on the information systems. These security controls restrict who can or cannot access the system at what times. This is essential for maintaining the safety of the system.
The FISMA framework requires local authorities to perform a risk assessment on the security systems and the information that is stored in them. This entails monitoring and noting down all the vulnerabilities and weaknesses in the system that can expose its security threats from the outside. FISMA requires authorities to perform continuous monitoring of the information system. Any attacks that might occur on the system can be detected immediately by doing this. This also deters potential attackers who might be planning to attack the information system.
FISMA requires the authorities to provide certification and accreditation to people who are capable of managing the system. The certification can then be used by them to bolster their credentials and take a greater responsibility of protecting and maintaining the system.
The authorities are required to regularly produce reports which should summarize all the necessary steps that they have taken to implement the FISMA guidelines. It should also provide information on current state of information security and future plans. The reports should paint an accurate picture of the information security system, how maximum security is being ensured, and how the guidelines are being followed. The reports should be regularly reviewed and kept up to date. Any changes, if required, should be made as soon as possible.
In conclusion, it can be said that the FISMA, being a federal regulation, requires several measures which the local authorities need to take to ensure information security in their respective domains. It makes the authorities responsible for the security of the information systems that are under their control. It is a key piece of legislation and it is hoped that it would do a lot of good to all stakeholders in the information security system.