FISMA is the Federal Information Security Management Act of 2002. It was passed as Title III of the E-Government Act (Public Law 107-347) in December 2002. FISMA requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

FISMA reaffirmed NIST’s role of developing information security standards (Federal Information Processing Standards) and guidelines (Special Publications in the 800-series) for non-national security federal systems and assigned NIST some specific responsibilities, including the development of:

• Standards to be used by Federal agencies to categorize information and systems based on the objectives of providing appropriate levels of information security according to a range of risk levels;
• Guidelines recommending the types of information and systems to be included in each category; and
• Minimum information security requirements (management, operational, and technical security controls) for information and systems in each such category.

The FISMA Implementation Project was established in January 2003 to produce several key security standards and guidelines required by the FISMA legislation. As a key element of the FISMA Implementation Project, NIST also developed additional guidance (in the form of Special Publications) and a Risk Management Framework which effectively integrates all of NIST’s FISMA-related security standards and guidelines in order to promote the development of comprehensive, risk-based, and balanced information security programs by federal agencies. The ultimate objective of the Risk Management Framework and the associated publications is to enable agencies to conduct the day-to-day operations of the agency and to accomplish the agency's stated missions with adequate security, or security commensurate with risk, including the magnitude of harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information. The Risk Management Framework and the associated publications are available at: http://csrc.nist.rip/publications/PubsSPs.html.

Federal Information Processing Standards (FIPS):

FIPS 199,  Standards for Security Categorization of Federal Information and Information Systems; and

FIPS 200, Minimum Security Requirements for Federal Information and Information Systems;

Special Publications (SP):

SP 800-18 Revision 1, Guide for Developing Security Plans for Federal Information Systems;

SP 800-30 Revision 1, Guide for Conducting Risk Assessments;

SP 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach;

SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System View;

SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations;

SP 800-53A Revision 4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans;

SP 800-59, Guideline for Identifying an Information System as a National Security System;

SP 800-60 Revision 1 (Volume 1 (Document) and Volume 2 (Appendices)), Guide for Mapping Types of Information and Information Systems to Security Categories;

SP 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations; and

SP 800-160, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems

NIST Interagency Reports (NISTIR):

NISTIR 8011, Automation Support for Security Control Assessments

• Volume 1: Overview
• Volume 2: Hardware Asset Management

NIST employs a comprehensive public review process on every FISMA standard and guideline to ensure the security standards and guidelines are of the highest quality—that is, technically correct and implementable. NIST actively solicits and encourages individuals and organizations in the public and private sectors to provide feedback on the content of each of the FISMA publications. In most cases, the FISMA security publications go through three full public vetting cycles providing an opportunity for individuals and organizations to actively participate in the development of the standards and guidelines. NIST also works closely with owners, operators, and administrators of systems within NIST to obtain real-time feedback on the implementability of the specific safeguards and countermeasures (i.e., security controls) being proposed for federal systems. Finally, NIST has an extensive outreach program that maintains close contact with security professionals at all levels to ensure important feedback can be incorporated into future updates of the security standards and guidelines. The combination of an extensive public review process for standards and guideline development, the experience in prototyping and implementing the safeguards and countermeasures in the systems owned and operated by NIST, and the aggressive outreach program that keeps NIST in close contact with its constituents, produces high-quality, widely accepted security standards and guidelines that are not only used by the federal government, but are frequently adopted on a voluntary basis by many organizations in the private sector.

Prioritizing security controls in the baselines recommended by NIST would place emphasis on selected security controls at the expense of other, equally important controls. In addition, providing public prioritization of baseline security requirements and controls would give threat agents and adversaries important information which would be damaging to federal agencies in giving visibility into their protection strategies. The approach recommended by NIST, centered around the Risk Management Framework, provides federal agencies with a disciplined, structured, and flexible process to select appropriate security controls for their systems, a methodology to determine the effectiveness of those controls, and visibility into the residual risks to the organization’s operations and assets, individuals, other organizations (partnering with the organization), and the Nation. The deployment of security controls uses a defense-in-depth approach which combines management, operational, and technical safeguards and countermeasures to address all aspects of the threat space. The balanced approach to control selection and deployment recognizes that technology alone cannot protect federal systems. Federal agencies require a holistic approach to protecting critical missions and business functions which includes people, processes, and technology working together in a complementary and mutually reinforcing manner.

No. FISMA compliance requires the thoughtful selection and employment of stringent security controls for federal systems using a risk-based approach to protect critical federal missions and business functions. In addition to technology-based controls such as access control, identification and authentication, audit and accountability, encryption, and system and communications protection, there are also management and operational controls that address important security areas such physical security, personnel security, continuity of operations, awareness and training, incident response, security planning, system integrity, and acquisition. Developing sound security policies and procedures is a critical aspect of building an effective information security program. Security policies, while administrative in nature, demonstrate in clear and unequivocal teams, senior management’s commitment to information security and protecting the organization’s operations (mission, functions, image, and reputation) and assets, individuals, other organizations, and the Nation. Security procedures provide the necessary details for the organization’s security professionals to effectively implement the security policies. Effective policies and procedures, in conjunction with technology-based security controls, provide a defense-in-depth and holistic approach to information security and managing organizational risk from systems. In addition to the above, there are specific management controls that require an assessment of the controls in organizational systems to determine overall effectiveness. The determination of security control effectiveness provides critical information to senior leaders/executives needed to make credible risk-based decisions for the authorization (accreditation) of systems.

Yes. There are many emerging automated support tools that can help federal agencies implement and assess security controls necessary for FISMA compliance. Many of the technical security controls in NIST Special Publication 800-53 (Rev. 4) that have security configuration settings can benefit from the automated testing procedures being developed under the multi-agency Information Security Automation Program using the Security Content Automation Protocol. Automated support tools for the management and reporting of FISMA-related information are also available under the OMB Line of Business initiative.

Many organizations and individuals have a role in determining FISMA compliance. Congress establishes top-level security requirements for federal agencies and support contractors in the FISMA legislation. NIST develops the security standards and guidelines necessary for FISMA implementation including a risk-based approach for selecting, implementing, and assessing security controls for federal systems and for determining risk to organizational operations and assets, individuals, other organizations, and the Nation. Agency heads, in coordination with their Chief Information Officers and Senior Agency Information Security Officers report the security status of their systems to OMB in accordance with annual FISMA reporting guidance. Inspectors General provide an independent assessment of the security status of federal systems, also reporting results to OMB annually.

Yes. There is a strong reference to FISMA in the FAR. The FAR link is provided at: http://www.acquisition.gov/far. Page 7.1-2, FAR Section 7.103 states:

"Agency-head responsibilities--- The agency head or a designee shall prescribe procedures for ensuring that agency planners on information technology acquisitions comply with the information technology security requirements in the Federal Information Security Management Act (44 U.S.C. 3544), OMB's implementing policies including Appendix III of OMB Circular A-130, and guidance and standards from the Department of Commerce's National Institute of Standards and Technology."

Therefore, the FAR points to FISMA, OMB Circular A-130, and the security standards and guidance developed by the National Institute of Standards and Technology at the Department of Commerce. The NIST security standards and guidance can be found on the Computer Security Division web site at http://csrc.nist.rip with specific information on the FISMA Implementation Project webpage.