FISMA Compliance

The Federal Information Security Management Act (FISMA), passed into law in December 2002 as a part of the eGovernment Act, requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency. It requires executive agencies within the federal government to:

Plan for security

• Ensure that appropriate officials are assigned security responsibility
• Periodically review the security controls in their information systems
• Authorize system processing prior to operations and, periodically, thereafter

FISMA applies to all federal agencies, contractors, or organizations whose information systems possess or make use of federal information.

The Federal Government has developed “Standards for Security Categorization of Federal Information and Information Systems” in order to comply with FISMA. These standards are published in FIPS Publication 199 and various other NIST (National Institute of Standards and Technology) publications.

FISMA focuses on Assessment, Enforcement and Compliance

FISMA's requirements fall into three major categories: assessment, enforcement, and compliance. The first category pertains to determining the adequacy of the security of federal assets, the second category requires that key information security provisions be implemented and managed, and the third category establishes provisions for the management of each agency's information security program and the accountability of each agency for compliance and reporting. The Agiliance IT-GRC platform enables organizations to comply with all three requirements.

Agiliance's Key Capabilities:

• Maintain a repository of all assets (hardware, software, physical IT infrastructure, IT processes) that contain relevant data. Asset information can either be imported from external systems or populated through asset discovery technology. The system supports a comprehensive asset data model to document relationships between assets, organizations, processes and people.
• Enabling the organization to evaluate how critical an asset is to maintaining the integrity and confidentiality of relevant information and then assess its overall risk.
• Maintain a library of controls based on FISMA Requirements, as defined in NIST standards
• Provide an infrastructure for assessing compliance with controls
  • Automate the process of distributing and collecting periodic surveys and self assessments to evaluate compliance
  • Integrate with monitoring tools, compare asset configuration against controls and policies to identify non-compliance on a continuous basis
• Report on asset compliance scores – both for status purposes, as well as evidence of compliance for internal and external auditors.
• Compute an asset’s composite risk score based on multiple criteria, including business impact of its impairment, compliance with policies, including security policies, and its vulnerability based on external feeds. The risk score allows users to prioritize which non-compliant assets need to be addressed first for remediation.
• Trigger the remediation process.