The Federal Information Security Modernization Act of 2014 (FISMA), meant a great update to the U.S. Federal Government’s cybersecurity practices. Unlike other Federal industry-specific laws like HIPAA, meant for healthcare facilities, FISMA provides guidelines for all federal agencies.
This legislation amended FISMA 2002 and updated existing laws to push for better response on cyber attacks against agencies and departments.
The U.S. Congress saw how IT resources played a critical role in the social, political, and economic well-being. After all, they provide services to all U.S. citizens, they maintain the civil infrastructure and hold great deals of knowledge.
Due to the latter, it is necessary that state agencies have policies in place to address security in a way that mitigates all risks in the data processing. Privacy and data security are at stake.
For this, the Department of Homeland Security (DHS) was given added authority over information security policies by FISMA. This stretches beyond is national reach: they were charged to develop and oversee cybersecurity for other agencies upon request.
FISMA brought several changes to the Federal Government’s cybersecurity practices. It better addresses new threats and it’s more flexible to accommodate evolving concerns.
Back to the Basics – What is Cybersecurity?
The focus is on the issues caused by security incidents. Practical measures, like strengthening the use of continuous monitoring are promoted, while reporting became secondary.
What’s New in FISMA 2014?
As we mentioned before, FISMA’s update now states the DHS must provide assistance to other federal Executive Branch civilian agencies on request. Specifically, to implement security policies and technologies that help them oversee their agency’s data protection.
It also provides the DHS the authority to develop and regulate binding operational directives that follow OMB policies and practices
With Fisma, the Department has the authority to develop and oversee the implementation of binding operational directives to other agencies, in coordination and consistent with Office of Management and Budget policies and practices. It also:
- Placed the federal information security incident center (a function fulfilled by US-CERT) within DHS by law.
- Authorized DHS technology deployments to other agencies’ networks (upon those agencies’ request).
- Directed OMB to revise policies regarding notification of individuals affected by federal agency data breaches.
- Required agencies to report major information security incidents as well as data breaches to Congress as they occur, and annually.
- Simplified existing FISMA reporting to eliminate inefficient or wasteful reporting while adding new reporting requirements for major information security incidents.
Agencies Maintain Control, Gain DHS Cyber-Expertise
In spite of the DHS’s new reach, Agencies remains in the hands of the Agencies. These have to manage their own compliance and request the DHS’s aid when necessary.
There is responsible behind each organization, and that is the head of each Agency. This person will be held accountable for the security protections applied, and how they help to reduce the risk of harm, unauthorized access, bad use, disclosure, modification, or destruction of their data.
To maintain these standards, the Agencies have to report the effectiveness of their security implementations annually to the DHS. However, this is not a negative exchange at all.
Due to the seeming magnitude of Agencies, and major outdated IT systems, these organizations must make annual progress. Collaborating with the DHS’s experts and their guidance, on how to asses their current status, and evolve. The impact can be huge, but necessary to implement new security strategies, such as Zero Trust.
Understanding and Complying with FISMA
As a key element of the FISMA Implementation Project, The National Institute of Standards and Technology (NIST) developed an integrated Risk Management Framework.
It has a risk-based approach, which means the system evolves in time according to a continuous risk audit, and legal context analysis. The management of organizational risk is the key element when your selection of security controls.
The first step the agency must take is to Prepare. Normal activities are carried to better understand the infrastructure the agency is working with.
Next comes Categorization. Meaning the agency must categorize its information system and realize an impact analysis. This is followed by the selection and implementation of security controls, based on the initial audit. The framework suggests Agencies cover the following areas:
|Security Controls||• Risk Assessment|
• Certification, Accreditation and Security Assessments
• System Services and Acquisition
• Security Planning
• Configuration Management
• System and Communications Protection
• Personnel Security
• Awareness and Training
• Physical and Environmental Protection
• Media Protection
• Contingency Planning
• System and Information Integrity
• Incident Response
• Identification and Authentication
• Access Control
• Accountability and Audit
Finally, if all is in place, the system’s operation is authorized and monitored. This initiates the never-ending optimization loop that ensures made efforts are judged when attacks strike, and if needed, improved.
It effectively brings together all of the FISMA-related security standards and guidance to promote the development of comprehensive and balanced information security programs by agencies.
With this update, FISMA replaced inefficient and wasteful reporting for better infrastructures and proactive reactions to attacks. It is a collaborative effort between Federal Agencies and the DHS that ensures security protocols evolve in time and autoregulate themselves.
FISMA as a law stresses all Agencies to play a role in the Federal information life-cycle, seeking to steer clear from compliance-focused exercises.
Rather than an obligation of compliance law, like GDPR, FISMA is an open door that facilitates all necessary security resources to previously forgotten Federal agencies, whose security are as important for the country’s intelligence and infrastructure well-being.