613:, Appendix III, security accreditation provides a form of quality control and challenges managers and technical staffs at all levels to implement the most effective security controls possible in an information system, given mission requirements, technical constraints, operational constraints, and cost/schedule constraints. By accrediting an information system, an agency official accepts responsibility for the security of the system and is fully accountable for any adverse impacts to the agency if a breach of security occurs. Thus, responsibility and accountability are core principles that characterize security accreditation. It is essential that agency officials have the most complete, accurate, and trustworthy information possible on the security status of their information systems in order to make timely, credible, risk-based decisions on whether to authorize operation of those systems.
558:, "Recommended Security Controls for Federal Information Systems". The process of selecting the appropriate security controls and assurance requirements for organizational information systems to achieve adequate security is a multifaceted, risk-based activity involving management and operational personnel within the organization. Agencies have flexibility in applying the baseline security controls in accordance with the tailoring guidance provided in Special Publication 800-53. This allows agencies to adjust the security controls to more closely fit their mission requirements and operational environments. The controls selected or planned must be documented in the System Security Plan.
40:
617:
security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. The results of a security certification are used to reassess the risks and update the system security plan, thus providing the factual basis for an authorizing official to render a security accreditation decision.
473:
of FISMA to protect their information and information systems and publishes standards and guidelines which provide the foundation for strong information security programs at agencies. NIST performs its statutory responsibilities through the
Computer Security Division of the Information Technology Laboratory. NIST develops standards, metrics, tests, and validation programs to promote, measure, and validate the security in information systems and services. NIST hosts the following:
609:
800-37 "Guide for the
Security Certification and Accreditation of Federal Information Systems". Security accreditation is the official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations, agency assets, or individuals based on the implementation of an agreed-upon set of security controls. Required by
400:(OMB). OMB uses this data to assist in its oversight responsibilities and to prepare this annual report to Congress on agency compliance with the act. In FY 2008, federal agencies spent $ 6.2 billion securing the government's total information technology investment of approximately $ 68 billion or about 9.2 percent of the total information technology portfolio. This law has been amended by the
524:" in question. There is not a direct mapping of computers to an information system; rather, an information system may be a collection of individual computers put to a common purpose and managed by the same system owner. NIST SP 800-18, Revision 1, Guide for Developing Security Plans for Federal Information Systems provides guidance on determining
600:
described in the system security plan are consistent with the FIPS 199 security category determined for the information system, and that the threat and vulnerability identification and initial risk determination are identified and documented in the system security plan, risk assessment, or equivalent document.
567:
operations (including mission, functions, image, or reputation), agency assets, individuals, other organizations, or the Nation. The resulting set of security controls establishes a level of "security due diligence" for the federal agency and its contractors. A risk assessment starts by identifying potential
579:
to individual vulnerabilities. One then determines risk by calculating the likelihood and impact that any given vulnerability could be exploited, taking into account existing controls. The culmination of the risk assessment shows the calculated risk for all vulnerabilities and describes whether the
519:
FISMA requires that agencies have an information systems inventory in place. According to FISMA, the head of each agency shall develop and maintain an inventory of major information systems (including major national security systems) operated by or under the control of such agency The identification
472:
is responsible for developing standards, guidelines, and associated methods and techniques for providing adequate information security for all agency operations and assets, excluding national security systems. NIST works closely with federal agencies to improve their understanding and implementation
553:
Federal information systems must meet the minimum security requirements. These requirements are defined in the second mandatory security standard required by the FISMA legislation, FIPS 200 "Minimum
Security Requirements for Federal Information and Information Systems". Organizations must meet the
544:
The overall FIPS 199 system categorization is the "high water mark" for the impact rating of any of the criteria for information types resident in a system. For example, if one information type in the system has a rating of "Low" for "confidentiality," "integrity," and "availability," and another
599:
The System security plan is the major input to the security certification and accreditation process for the system. During the security certification and accreditation process, the system security plan is analyzed, updated, and accepted. The certification agent confirms that the security controls
608:
Once the system documentation and risk assessment has been completed, the system's controls must be reviewed and certified to be functioning appropriately. Based on the results of the review, the information system is accredited. The certification and accreditation process is defined in NIST SP
629:
Continuous monitoring activities include configuration management and control of information system components, security impact analyses of changes to the system, ongoing assessment of security controls, and status reporting. The organization establishes the selection criteria and subsequently
616:
The information and supporting evidence needed for security accreditation is developed during a detailed security review of an information system, typically referred to as security certification. Security certification is a comprehensive assessment of the management, operational, and technical
595:
Agencies should develop policy on the system security planning process. NIST SP-800-18 introduces the concept of a System
Security Plan. System security plans are living documents that require periodic review, modification, and plans of action and milestones for implementing security controls.
566:
The combination of FIPS 200 and NIST Special
Publication 800-53 requires a foundational level of security for all federal information and information systems. The agency's risk assessment validates the security control set and determines if any additional controls are needed to protect agency
625:
All accredited systems are required to monitor a selected set of security controls and the system documentation is updated to reflect changes and modifications to the system. Large changes to the security profile of the system should trigger an updated risk assessment, and controls that are
520:
of information systems in an inventory under this subsection shall include an identification of the interfaces between each such system and all other systems or networks, including those not operated by or under the control of the agency. The first step is to determine what constitutes the "
395:
and explicitly emphasized a "risk-based policy for cost-effective security." FISMA requires agency program officials, chief information officers, and inspectors general (IGs) to conduct annual reviews of the agency's information security program and report the results to
541:"Standards for Security Categorization of Federal Information and Information Systems" provides the definitions of security categories. The guidelines are provided by NIST SP 800-60 "Guide for Mapping Types of Information and Information Systems to Security Categories."
506:
used or operated by a U.S. federal government agency in the executive or legislative branches, or by a contractor or other organization on behalf of a federal agency in those branches. This framework is further defined by the standards and guidelines developed by
536:
All information and information systems should be categorized based on the objectives of providing appropriate levels of information security according to a range of risk levels The first mandatory security standard required by the FISMA legislation,
452:(OMB) in order to strengthen information security systems. In particular, FISMA requires the head of each agency to implement policies and procedures to cost-effectively reduce information technology security risks to an acceptable level.
646:, have described FISMA as "a well-intentioned but fundamentally flawed tool", arguing that the compliance and reporting methodology mandated by FISMA measures security planning rather than measuring information security. Past
650:
chief technology officer Keith Rhodes said that FISMA can and has helped government system security but that implementation is everything, and if security people view FISMA as just a checklist, nothing is going to get done.
685:
630:
selects a subset of the security controls employed within the information system for assessment. The organization also establishes the schedule for control monitoring to ensure adequate coverage is achieved.
493:(SCAP). NVD is the U.S. government repository of standards based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance (e.g., FISMA)
459:
means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.
1058:
420:), sometimes known as FISMA2014 or FISMA Reform. FISMA2014 struck subchapters II and III of chapter 35 of title 44, United States Code, amending it with the text of the new law in a new
266:
545:
type has a rating of "Low" for "confidentiality" and "availability" but a rating of "Moderate" for "integrity," then the impact level for "integrity" also becomes "Moderate".
50:
An Act to strengthen
Federal Government information security, including through the requirement for the development of mandatory information security risk management standards.
270:
580:
risk should be accepted or mitigated. If mitigated by the implementation of a control, one needs to describe what additional
Security Controls will be added to the system.
401:
308:
1063:
1053:
508:
469:
445:
596:
Procedures should be in place outlining who reviews the plans, keeps the plan current, and follows up on planned security controls.
978:
480:
710:
665:
725:
584:
490:
1023:
554:
minimum security requirements by selecting the appropriate security controls and assurance requirements as described in
690:
587:(SCAP) that support and complement the approach for achieving consistent, cost-effective security control assessments.
425:
325:
213:
203:
193:
183:
165:
149:
144:
197:
187:
647:
252:
956:
555:
486:
449:
397:
361:
118:
110:
1038:
384:
that support the operations and assets of the agency, including those provided or managed by another agency,
1068:
80:
417:
357:
1013:
787:
FY 2005 Report to
Congress on Implementation of The Federal Information Security Management Act of 2002
405:
345:
169:
103:
421:
1018:
736:
572:
337:
217:
441:
373:
341:
414:
354:
876:
NIST SP 800-18, Revision 1, "Guide for
Developing Security Plans for Federal Information Systems"
979:"Government Computer News, Effective IT security starts with risk analysis, former GAO CTO says"
946:
NIST SP 800-37 "Guide for
Applying the Risk Management Framework to Federal Information Systems
244:
700:
385:
17:
372:
to the economic and national security interests of the United States. The act requires each
229:
39:
705:
377:
369:
932:
NIST SP 800-53A "Guide for Assessing the Security Controls in Federal Information Systems"
502:
FISMA defines a framework for managing information security that must be followed for all
8:
531:
381:
1033:
720:
660:
638:
Security experts Bruce Brody, a former federal chief information security officer, and
610:
521:
503:
207:
159:
763:
731:
670:
568:
686:
Department of Defense Information Assurance Certification and Accreditation Process
576:
889:
429:
329:
1008:
911:
497:
248:
643:
291:
1047:
675:
392:
680:
583:
NIST also initiated the Information Security Automation Program (ISAP) and
639:
365:
122:
1003:
1039:
Rsam: Automated Platform for FISMA Compliance and Continuous Monitoring
796:
FY 2008 Report to Congress on Implementation of The Federal Information
694:
532:
Categorize information and information systems according to risk level
376:
to develop, document, and implement an agency-wide program to provide
538:
256:
715:
55:
525:
884:
882:
498:
Compliance framework defined by FISMA and supporting standards
957:"Government Computer News, FISMA efficiency questioned, 2007"
391:
FISMA has brought attention within the federal government to
860:
The 2002 Federal Information Security Management Act (FISMA)
489:(NVD) – the U.S. government content repository for ISAP and
1059:
United States federal government administration legislation
879:
1028:
828:
806:
402:
Federal Information Security Modernization Act of 2014
309:
Federal Information Security Modernization Act of 2014
626:
significantly modified may need to be re-certified.
284:
on November 15, 2002 (passed unanimous consent)
278:
on November 15, 2002 (passed without objection)
514:
318:
Federal Information Security Management Act of 2002
33:
Federal Information Security Management Act of 2002
603:
406:
346:
942:
940:
938:
728:– automated testing for security compliance
1045:
872:
870:
868:
866:
145:40 U.S.C.: Public Buildings, Property, And Works
758:
756:
754:
752:
935:
446:National Institute of Standards and Technology
863:
807:"NIST Computer Security Division 2008 report"
749:
1064:United States federal computing legislation
1009:NIST FISMA Implementation Project Home Page
697:security standards for Windows workstations
440:FISMA assigns specific responsibilities to
926:
463:
1054:Acts of the 107th United States Congress
620:
368:). The act recognized the importance of
150:44 U.S.C.: Public Printing and Documents
856:
854:
852:
850:
848:
846:
590:
481:Information Security Automation Program
14:
1046:
711:Information security management system
666:Committee on National Security Systems
912:"Catalog of NIST SP-800 publications"
783:
781:
435:
843:
790:
726:Security Content Automation Protocol
585:Security Content Automation Protocol
548:
491:Security Content Automation Protocol
340:enacted in 2002 as Title III of the
799:
24:
778:
691:Federal Desktop Core Configuration
561:
411:Tooltip Public Law (United States)
351:Tooltip Public Law (United States)
25:
1080:
1004:NIST Special Publications Library
997:
829:"National Vulnerability Database"
515:Inventory of information systems
38:
971:
949:
642:, director of research for the
604:Certification and accreditation
556:NIST Special Publication 800-53
487:National Vulnerability Database
450:Office of Management and Budget
398:Office of Management and Budget
904:
890:"Catalog of FIPS publications"
821:
13:
1:
742:
455:According to FISMA, the term
477:FISMA implementation project
81:107th United States Congress
7:
1024:Report on 2004 FISMA scores
654:
633:
10:
1085:
468:In accordance with FISMA,
959:. Gcn.com. March 18, 2007
737:Vulnerability (computing)
338:United States federal law
306:
301:
236:
227:
176:
158:
137:
132:
109:
99:
94:
86:
75:
67:
54:
46:
37:
27:United States federal law
981:. Gcn.com. June 10, 2009
575:and mapping implemented
380:for the information and
342:E-Government Act of 2002
71:E-Government Act of 2002
464:Implementation of FISMA
267:House Government Reform
263:Committee consideration
198:ch. 113, subch. III
188:ch. 113, subch. III
177:U.S.C. sections amended
764:"NIST: FISMA Overview"
170:ch. 35, subch. III
701:Information assurance
621:Continuous monitoring
706:Information security
591:System security plan
457:information security
378:information security
370:information security
294:on December 17, 2002
218:ch. 35, subch. I
1069:Security compliance
504:information systems
388:, or other source.
382:information systems
230:Legislative history
34:
1029:FISMApedia project
1014:Full text of FISMA
721:OMB Circular A-130
661:Attack (computing)
611:OMB Circular A-130
522:information system
436:Purpose of the act
259:) on March 5, 2002
32:
732:Threat (computer)
671:Computer security
549:Security controls
314:
313:
282:Passed the Senate
112:Statutes at Large
90:December 17, 2002
16:(Redirected from
1076:
991:
990:
988:
986:
975:
969:
968:
966:
964:
953:
947:
944:
933:
930:
924:
923:
921:
919:
908:
902:
901:
899:
897:
886:
877:
874:
861:
858:
841:
840:
838:
836:
825:
819:
818:
816:
814:
803:
797:
794:
788:
785:
776:
775:
773:
771:
760:
696:
442:federal agencies
412:
408:
352:
348:
307:Replaced by the
302:Major amendments
276:Passed the House
243:in the House as
232:
162:sections created
113:
60:
42:
35:
31:
21:
1084:
1083:
1079:
1078:
1077:
1075:
1074:
1073:
1044:
1043:
1034:FISMA Resources
1000:
995:
994:
984:
982:
977:
976:
972:
962:
960:
955:
954:
950:
945:
936:
931:
927:
917:
915:
914:. Csrc.nist.gov
910:
909:
905:
895:
893:
892:. Csrc.nist.gov
888:
887:
880:
875:
864:
859:
844:
834:
832:
827:
826:
822:
812:
810:
809:. Csrc.nist.gov
805:
804:
800:
795:
791:
786:
779:
769:
767:
766:. Csrc.nist.gov
762:
761:
750:
745:
657:
636:
623:
606:
593:
573:vulnerabilities
564:
562:Risk assessment
551:
534:
517:
500:
466:
448:(NIST) and the
438:
410:
350:
297:
288:Signed into law
249:Thomas M. Davis
228:
223:
154:
111:
76:Enacted by
58:
28:
23:
22:
15:
12:
11:
5:
1082:
1072:
1071:
1066:
1061:
1056:
1042:
1041:
1036:
1031:
1026:
1021:
1016:
1011:
1006:
999:
998:External links
996:
993:
992:
970:
948:
934:
925:
903:
878:
862:
842:
831:. Nvd.nist.gov
820:
798:
789:
777:
747:
746:
744:
741:
740:
739:
734:
729:
723:
718:
713:
708:
703:
698:
688:
683:
678:
673:
668:
663:
656:
653:
644:SANS Institute
635:
632:
622:
619:
605:
602:
592:
589:
563:
560:
550:
547:
533:
530:
516:
513:
499:
496:
495:
494:
484:
478:
465:
462:
437:
434:
426:44 U.S.C.
415:113–283 (text)
374:federal agency
355:107–347 (text)
326:44 U.S.C.
312:
311:
304:
303:
299:
298:
296:
295:
292:George W. Bush
285:
279:
273:
260:
245:H.R. 3844
237:
234:
233:
225:
224:
222:
221:
220:§ 3501 et seq.
211:
201:
191:
180:
178:
174:
173:
172:§ 3541 et seq.
163:
156:
155:
153:
152:
147:
141:
139:
138:Titles amended
135:
134:
130:
129:
128:116 Stat. 2946
115:
107:
106:
101:
97:
96:
92:
91:
88:
84:
83:
77:
73:
72:
69:
65:
64:
61:
52:
51:
48:
44:
43:
26:
9:
6:
4:
3:
2:
1081:
1070:
1067:
1065:
1062:
1060:
1057:
1055:
1052:
1051:
1049:
1040:
1037:
1035:
1032:
1030:
1027:
1025:
1022:
1020:
1019:OMB Memoranda
1017:
1015:
1012:
1010:
1007:
1005:
1002:
1001:
980:
974:
958:
952:
943:
941:
939:
929:
913:
907:
891:
885:
883:
873:
871:
869:
867:
857:
855:
853:
851:
849:
847:
830:
824:
808:
802:
793:
784:
782:
765:
759:
757:
755:
753:
748:
738:
735:
733:
730:
727:
724:
722:
719:
717:
714:
712:
709:
707:
704:
702:
699:
692:
689:
687:
684:
682:
679:
677:
676:Cybersecurity
674:
672:
669:
667:
664:
662:
659:
658:
652:
649:
645:
641:
631:
627:
618:
614:
612:
601:
597:
588:
586:
581:
578:
574:
570:
559:
557:
546:
542:
540:
529:
527:
523:
512:
510:
505:
492:
488:
485:
482:
479:
476:
475:
474:
471:
461:
458:
453:
451:
447:
443:
433:
431:
427:
423:
422:subchapter II
419:
416:
409:
403:
399:
394:
393:cybersecurity
389:
387:
383:
379:
375:
371:
367:
363:
359:
356:
349:
343:
339:
335:
331:
327:
323:
319:
310:
305:
300:
293:
290:by President
289:
286:
283:
280:
277:
274:
272:
271:House Science
268:
264:
261:
258:
254:
250:
246:
242:
239:
238:
235:
231:
226:
219:
215:
212:
209:
205:
202:
199:
195:
192:
189:
185:
182:
181:
179:
175:
171:
167:
164:
161:
157:
151:
148:
146:
143:
142:
140:
136:
131:
127:
124:
120:
116:
114:
108:
105:
102:
98:
93:
89:
85:
82:
78:
74:
70:
66:
62:
57:
53:
49:
45:
41:
36:
30:
19:
983:. Retrieved
973:
961:. Retrieved
951:
928:
916:. Retrieved
906:
894:. Retrieved
833:. Retrieved
823:
811:. Retrieved
801:
792:
768:. Retrieved
681:Cyberwarfare
637:
628:
624:
615:
607:
598:
594:
582:
565:
552:
543:
535:
528:boundaries.
518:
501:
467:
456:
454:
439:
390:
333:
321:
317:
315:
287:
281:
275:
262:
240:
133:Codification
125:
59:(colloquial)
29:
640:Alan Paller
430:§ 3551
360:, 116
330:§ 3541
1048:Categories
743:References
386:contractor
241:Introduced
100:Public law
47:Long title
985:April 27,
963:April 27,
918:April 27,
896:April 27,
835:April 27,
813:April 27,
770:April 27,
214:44 U.S.C.
204:44 U.S.C.
194:40 U.S.C.
184:40 U.S.C.
166:44 U.S.C.
117:116
95:Citations
87:Effective
68:Nicknames
693:–
655:See also
634:Critique
577:controls
539:FIPS 199
56:Acronyms
716:IT risk
569:threats
407:Pub. L.
347:Pub. L.
336:) is a
334:et seq.
200:§ 11332
190:§ 11331
104:107-347
526:system
483:(ISAP)
444:, the
428:
413:
364:
353:
328:
160:U.S.C.
121:
418:(PDF)
362:Stat.
358:(PDF)
322:FISMA
216:
210:§ 101
208:ch. 1
206:
196:
186:
168:
119:Stat.
63:FISMA
18:FISMA
987:2012
965:2012
920:2012
898:2012
837:2012
815:2012
772:2012
695:NIST
571:and
509:NIST
470:NIST
366:2899
316:The
123:2899
79:the
648:GAO
432:).
265:by
247:by
126:aka
1050::
937:^
881:^
865:^
845:^
780:^
751:^
511:.
332:,
324:,
269:,
257:VA
989:.
967:.
922:.
900:.
839:.
817:.
774:.
424:(
404:(
344:(
320:(
255:–
253:R
251:(
20:)
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.
.svg)