Is Your Agency Failing FISMA?
This article provides an introduction and general overview to the Federal Information Security Management Act (FISMA) and the Certification and Accreditation (C&A) process. It discusses the following topics:
- The requirements of FISMA
- The regulations that direct the process and provide the guidance necessary to perform the tasks in a uniform manner
- The terms certification and accreditation, as well as the C&A process
- The different C&A methodologies
- Problems with the existing system
This paper is not intended to be a single source of information or knowledge. The Certification and Accreditation process is much too complex to cover in a single short article. References are provided for the readers to seek additional information.
What Is It?
What exactly is FISMA, anyway? FISMA is derived from the E-Government Act (Public Law 107-347) which was passed in December 2002. FISMA replaced the Government Information Security Reform Act (GISRA) and was enacted to address the requirements for non–national security government agencies. Title III of the E-Government Act is titled the Federal Information Security Management Act (FISMA).
FISMA explicitly requires federal agencies to "develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source." Furthermore, FISMA requires each federal agency to report to Congress annually by March 1. The agency FISMA report must address the adequacy and effectiveness of information security policies, procedures, and practices.
The Office of Management and Budget (OMB) has additional requirements contained in Circular A-130, Appendix III, Security of Federal Automated Information Resources. OMB A-130 specifically calls for executive agencies within the federal government to do the following:
- Plan for security
- Ensure that appropriate officials are assigned security responsibility
- Periodically review the security controls in their information systems
- Authorize system processing prior to operations and periodically thereafter