Keeping Up with the FISMA Compliance Mandates
The Federal Information Security Management Act of 2002 (FISMA), consists of Title III of the E-Government Act of 2002 (U.S. Public Law 104-347) enacted into law at the close of 2002. The FISMA Compliance mandate outlines how to improve the information security framework for federal agencies, contractors and other entities that handle federal data (i.e. state and local governments). FISMA consists of a set of directives governing what security responsibilities federal entities have and it outlines oversight and management roles to the implementation of those directives.
FISMA provides a number of specific tasks targeted to particular audiences:
- Agencies - Federal agencies have the largest responsibility under FISMA. They're required to establish an integrated, risk-based information security program that adheres to high-level requirements governing how information security is conducted within their agency. For example, agencies are required to assess the current level of risk associated with their information and information systems, define controls to protect those systems, implement policies and procedures to cost-effectively reduce risk, periodically test and evaluate those controls, train personnel on information security policies and procedures, and manage incidents to meet FISMA compliance.
- National Institute of Standards and Technology (NIST) -- NIST bears the responsibility for setting centralized standards and guidance to which agencies must adhere. These include the definition and categorization of risk levels and setting minimum standards for safeguarding assets according to risk levels to achieve FISMA compliance.
Private-Sector FISMA awareness
Despite the fact that FISMA compliance is only mandatory for organizations that handle federal data, it can be useful for private-sector security practitioners to maintain an awareness of ongoing FISMA compliance activities as well. Since the majority of the supporting documentation produced within the federal sector is extremely thorough and freely available, these documents can prove useful to security professionals outside of the federal realm. NIST, for example, has produced an extensive library of material related to security program initiation, minimum security controls and assignment of risk, which can be leveraged by private-sector practitioners involved in assessment, authoring security policy or technical security control selection. NIST's most comprehensive documents, Special Publication (SP) 800-53 "Recommended Security Controls for Federal Information Systems" and SP 800-53A, provide a detailed catalogue of security controls indexed by risk level as well as extremely thorough practical guidelines for assessment of those security controls once implemented. For an auditor or assessor, the value of having a standardized, freely-available, documented checklist for verification of security controls cannot be overstated.
Log Fidelity’s log management and data security solution
The LogClarity® Suite is the choice of security administrators worldwide that want to increase security by monitoring all database activity including customer private data, increase log retention, and utilize the most accurate FISMA Compliance forensics and reporting solution available today!
Get the LogClarity® Suite FISMA out-of-the-box whitepaper.
