search

Which law requires each federal agency to develop an information security program?

1 Jahrs vor
Kommentare: 0
Ansichten: 97

FISMA is U.S. government legislation that defines a comprehensive framework to protect government information, operations, and assets against threats. Signed into law in 2002 and updated in 2014, FISMA requires that federal systems meet a set level of security requirements (also known as “controls”). No agency is exempt. As a result, security compliance is often an integral part of every Federal IT pro’s decision-making process.

Show

FISMA compliance defines a vast and detailed set of security requirements. That said, there are a handful of high-level requirements that can be summarized as follows:

Maintaining Compliance

Remember, these are the most basic, high-level FISMA compliance requirements. There are literally hundreds of additional security controls that cover everything from small technical details, such as the versions of permissible encryption for data in transit (also known as Transport Layer Security), to program-wide decisions that can impact funding, hiring/personnel security, disaster recovery plans, data protection mechanisms, privacy, and more. Even a low-impact system may have over 100 controls, and each of these may break out into individual enhancements (think subsidiary controls).

With all these controls, how does an agency maintain FISMA compliance? The most efficient way is to consider the force-amplifying effects of automation.

Consider a tool, or set of tools, that can provide the following capabilities to help significantly ease the time required for compliance efforts and automatically:

  • Discover network devices and get an inventory of systems and software installed on your network
  • Validate that devices have been correctly configured from a security standpoint
  • Validate that system and security patches have been applied across your systems

  • Monitor system logs to help identify threats or malicious behavior
  • Block or quarantine malicious and suspicious activity
  • Monitor the system’s performance to catch failures as they begin to occur, and not after the failure leads to downtime

FISMA is an acronym that stands for the Federal Information Security Modernization Act of 2014. The original FISMA stood for the Federal Information Security Management Act of 2002.

Which law requires each federal agency to develop an information security program?
There are a number of benefits associated with FISMA compliance. It also boosts security to adhere to some of the highest standards and best practices.

FISMA compliance is based on a comprehensive framework designed to protect government information, operations, and assets from natural disasters or cybersecurity threats.

Why FISMA Exists

FISMA compliance rules are a subset of the E-Government Act of 2002, which has a stated goal to “enhance the management and promotion of electronic Government services and processes by establishing a Federal Chief Information Officer within the Office of Management and Budget, and by establishing a broad framework of measures that require using Internet-based information technology to enhance citizen access to Government information and services, and for other purposes.”

FISMA, in Title III of the E-Government Act, was called the Federal Information Security Management Act of 2002 and “requires each federal agency to develop, document, and implement an agency-wide security program. The agency’s security program should provide security for the information and the information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other sources.” The Federal Information Security Modernization Act of 2014, the current version of FISMA, expands the reach to provide broader protections with thorough information security plans and safeguards. 

The National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) are assigned specific responsibilities by FISMA to strengthen information security systems. The head of each agency is required to implement policies and procedures to cost-effectively reduce information technology security risks to an acceptable level.

Among the directives included in FISMA are the following.  

  • Authorizes U.S. Department of Homeland Security (DHS) technology deployments to other agencies’ networks upon request
  • Established the federal information security incident center, which is within DHS as part of US-CERT (United States Computer Emergency Readiness Team)
  • Gives the DHS authority to administer the implementation of information security policies for federal, state, and civilian organizations
  • Requires organizations to notify and consult with US-CERT regarding data breaches involving federal agencies, contractors, or other sources 
  • Requires the OMB to “eliminate inefficient and wasteful reporting”

Who Must Comply with FISMA?

When it was initially announced, FISMA applied only to the federal agencies. However, the law has expanded to include state agencies, such as Medicare and Medicaid. 

In 2014 FISMA changed that requirement to include all companies that work with federal agencies, including public sector organizations. This means that any organization that supports a federal program, provides services to a federal agency, or receives grant money from federal agencies must adhere to FISMA compliance standards. The goal is to reduce the potential risk of unauthorized federal data use, disclosure, or loss, regardless of where the threat might originate.

How to Become FISMA Compliant

To be FISMA compliant, organizations must have data security controls in place, guided by the NIST framework. These include:

  • FedRAMP
    The Federal Risk and Authorization Management Program (FedRAMP) standardizes cloud-computing services to meet FISMA compliance requirements. All software vendors that work with U.S. government agencies are required to abide by the FedRAMP authorization programs.
  • Information system inventory
    All organizations must maintain an inventory of all systems that are in use, as well as their associated integrations.  
  • Risk assessments
    The Risk Management Framework (RMF) must be used to perform a three-tiered risk assessment based on the NIST SP 800-30 publication.  
  • Risk categorization
    Assure compliance with NIST standards for categorizing federal information systems (FIPS 199).
  • Security controls
    Adopt the 20 security control measures to protect data outlined in NIST 800-53.
  • System security plan
    Develop and regularly update a security plan that ensures the required protections (i.e., confidentiality, integrity, authenticity, non-repudiation, availability of information, and information systems) are in place. It should include: 
    • Assignment of responsibilities 
    • Periodic assessments of risk 
    • Periodic testing and evaluation
    • Policies and procedures 
    • Security awareness training 

All organizations that access federal data are required to conduct annual security reviews to demonstrate that they can maintain, monitor, and implement systems to meet FISMA compliance standards. FISMA Assessment and Authorization (A&A) is a four-phase process. 

1. Initiation phase
Includes preparation, resource identification, and system analysis

2. Security certification phase
Includes security control assessment (i.e., prepare, conduct, and document) and certification documentation (i.e., informs the information system owner of vulnerable areas in the system and provides recommendations)

3. Security accreditation phase
Includes accreditation decision and documentation 

4. Continuous monitoring phase
Includes system configuration, security management, monitoring, and reporting

Which law requires each federal agency to develop an information security program?

Benefits of FISMA Compliance

There are a number of benefits associated with FISMA compliance:

  • Security
    Requirements for a stringent set of data protection criteria and standards significantly enhance protection and provide the necessary programs to support recovery of critical systems in an unexpected incident.
  • Reduced risk
    Requirements for risk assessments and monitoring proactively identify risks.
  • Efficiency
    Part of FISMA 2014 included the elimination of unnecessary reporting.
  • Increased revenue opportunities
  • Meeting requirements for FISMA compliance allows organizations to acquire new business from other federal agencies.

Penalties for FISMA Compliance Violations

For government agencies and private-sector vendors, failure to comply with FISMA could result in:

  • Censure by U.S. Congress
  • Government hearings
  • Loss of future contracts 
  • Poor cybersecurity infrastructure 
  • Reduction or elimination of federal funding
  • Reputational damage

Who Oversees FISMA Compliance?

There are two regulatory bodies that work with FISMA:

1. NIST, which has the authority to create programs that bolster I.T. security and risk management practices.

2. DHS, which is responsible for administering the implementation of programs created by NIST in order to maximize federal information system security.

Best Practices for FISMA Compliance

  • Categorize information that requires protection  
  • Classify data based on its level of sensitivity as it is created  
  • Encrypt sensitive data   
  • Establish baseline controls for the minimum necessary standard of security 
  • Implement and document security controls   
  • Implement monitoring practices for security systems  
  • Stay up to date with FISMA standards, NIST guidelines, and other security best practices
  • Perform risk assessments to optimize the security controls based on how data is used, stored, managed, and transmitted 

FISMA Compliance Finetunes Data Security

Attaining FISMA compliance can bring monetary benefits, such as enabling private sector contractors to conduct business with federal agencies. FISMA compliance also boosts security to empower organizations to adhere to some of the highest standards and best practices. And, perhaps most importantly, FISMA compliance ensures proactive protection with ongoing risk assessment and management.

Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.

Last Updated: 10h March, 2022

Which law requires each federal agency to develop an information security program quizlet?

FISMA requires each federal agency to create an agency-wide information security program that includes training employees, contractors, and any other users of their IT systems.

What is FISMA specify any act of it?

FISMA allows for: An increase in the security of federal information, both within federal and state agencies. Any business within the private sector to ensure that they're using the best security policies. More baseline controls and security plans, and more of an ability to respond to vulnerabilities.

What standard for information security includes specific requirements that apply to federal agencies in the United States?

FISMA is U.S. government legislation that defines a comprehensive framework to protect government information, operations, and assets against threats. Signed into law in 2002 and updated in 2014, FISMA requires that federal systems meet a set level of security requirements (also known as “controls”).

Why was FISMA enacted?

FISMA was created for several reasons. One, it was designed to protect sensitive information held by the government. Compliance is mandatory for federal agencies as well as state agencies that administer federal programs such as Medicare.

law requires federal agency develop information security program FISMA Gramm-Leach-Bliley Act Fisma 2002 GDPR

zusammenhängende Posts

Why did the government establish the Federal Deposit Insurance Corporation FDIC )?
Why did the government establish the Federal Deposit Insurance Corporation FDIC )?

When both parties to an agreement are mistaken as to a material fact the contract?
When both parties to an agreement are mistaken as to a material fact the contract?

Which of the following usually develops earlier in life and requires the use of insulin?
Which of the following usually develops earlier in life and requires the use of insulin?

Under which law did the federal government authorized the use of military force against states that challenged the federal tariff laws?
Under which law did the federal government authorized the use of military force against states that challenged the federal tariff laws?

Any change to state government that requires expansion of state authority must be approved by a
Any change to state government that requires expansion of state authority must be approved by a

Which of the following recommends a method of ethical reasoning that requires selecting the correct moral rule that produces the greatest benefits over harms?
Which of the following recommends a method of ethical reasoning that requires selecting the correct moral rule that produces the greatest benefits over harms?

Which customer service attitude requires accepting mistakes helping the customer ces
Which customer service attitude requires accepting mistakes helping the customer ces

Which term describes the courts power to overturn a law on the basis of its constitutionality?
Which term describes the courts power to overturn a law on the basis of its constitutionality?

Moore’s law states that processing speed and computing capabilities will every years.
Moore’s law states that processing speed and computing capabilities will every years.

Which type of representation requires the legislature to look like the general population
Which type of representation requires the legislature to look like the general population

Werbung

NEUESTEN NACHRICHTEN

Kann man nur schwanger werden wenn man den eisprung hat
1 Jahrs vor . durch AmpleBonus
Was kostet windows 10 nach einem jahr
1 Jahrs vor . durch Anti-SovietCompleteness
Was passiert wenn ein Elektron aus der Hülle entfernt wird?
1 Jahrs vor . durch DefiniteConflagration
What is the relationship between unethical politicking and impression management quizlet?
1 Jahrs vor . durch HiddenSloth
For a person to be recognized as having a high degree of political skill, he or she must have the
1 Jahrs vor . durch IncipientMonument
Was bedeuted o7
1 Jahrs vor . durch UninformedMurderer
Wie erstelle ich einen Broadcast WhatsApp?
1 Jahrs vor . durch StructuredCriminality
Führerschein C1 171 Was darf ich fahren
1 Jahrs vor . durch DazedPlaying
Rezept rote beete carpaccio mit ziegenkäse
1 Jahrs vor . durch NastyStairway
When delivering a speech you should display visual aids only when discussing them?
1 Jahrs vor . durch TaxingUniversity

Werbung

Populer

Werbung

Um

Legal

Hilfe

Sozial

homeendefrjakoptzhhiittr
Urheberrechte © © 2024 paraquee Inc.