FISMA provides guidance that details federal information security controls. Agencies must abide by certain requirements that must be implemented to secure their data and operations, for example.
NIST Special Publication 800-53A provides one such guidance document that helps ensure consistency when matching types of data with security impact levels.
1. Identification and Authentication
User authentication mechanisms are designed to uniquely identify and authenticate individuals accessing information resources. They may include factors like passwords, tokens, biometrics or any other means of verifying that someone who accesses these resources are indeed who they say they are and can legally gain access. This control applies both locally and remotely – the latter requires additional guidance such as minimum strength requirements from NIST Special Publication 800-63.
Universities utilize password authentication mechanisms to safeguard the confidentiality, integrity and availability of university data. Unfortunately, information can become vulnerable if it falls into the hands of untrustworthy parties who gain unauthorized access – this could result in lost revenues, liability claims or embarrassment for the university. Therefore this control outlines procedures for creating, distributing and protecting password authentication mechanisms to prevent exploitation/use by unauthorized entities.
FISMA of 2002 requires civilian agencies to implement measures for safeguarding information systems that support agency operations and assets, while reporting any unauthorized access or suspicious activity within certain timeframes based on severity. This control establishes procedures for reporting such incidents to U.S. Computer Emergency Readiness Team at DHS within specific timeframes according to OMB Memorandum M-06-20 from July 17, 2006.
2. Access Control
Organizations need access control technologies in place in order to prevent access control breaches and compromises by restricting who may gain entry to systems and data, including setting password requirements, restricting concurrent sessions, and hiding sensitive information when access is terminated or an account becomes inactive.
Organizations looking to ensure the security of an information system must make sure all external service provider communications pass through USDA and FSIS-managed access control points, while restricting wireless communications within an organization-controlled boundary. This enables remote employees to utilize FSIS information systems while remaining assured their actions won’t be monitored by outside malicious actors.
FISMA requires civilian agencies to set and apply minimum security standards for their information systems, which includes developing incident response processes and reporting any incidents to the Federal Information Security Center.
The National Institute of Standards and Technology’s (NIST) Cybersecurity Framework outlines best practices in cybersecurity. This serves as a common language between stakeholders, risk management activities and their implementation, while Department of Defense’s DFARS regulations mandate specific controls to be put in place in order to prevent disclosure or theft as well as various access control mechanisms which limit unapproved access.
3. Audit and Accountability
FISMA of 2002 mandates that each agency create an information security program to safeguard operations and assets essential to fulfilling its mission, such as evaluating risks associated with unauthorised access, disclosure, disruption, modification or destruction of information systems or related assets.
Under FISMA, civilian agencies must notify the U.S. Computer Emergency Readiness Team within a certain period if any incidents impacting their information and information systems or any personal data stored within these systems arise. NIST guidance such as Special Publication 800-53A — Methods for Assessing Security Control Effectiveness can assist civilian agencies in fulfilling this requirement.
NIST has also created an assessment questionnaire, available on their website, that can assist organizations in assessing their current state and setting improvement targets. This tool can assist organizations in understanding how best to approach improvement efforts.
An agency should develop and implement audit policies and procedures that are aligned with its organizational mission and business needs, updated regularly to reflect any changes to risk environments or information security controls implemented by it, disseminated to relevant personnel, reviewed every three years or when there are significant shifts in information security environments and reviewed at least every time there is significant shifts.
4. Awareness and Training
To protect federal information systems, employees must be trained on how to recognize and respond to cyber threats. To assist organizations, the government has issued guidance docs with best practices they should implement.
NIST Special Publication 800-53 provides methods and procedures that federal agencies can use to assess how effectively security controls are working on all information systems except those designated as national security systems under 44 U.S.C 35422. This guidance applies to all federal information systems except those designated as national security systems under 44 U.S.C 35422.
NIST also provides guidelines that assist agencies with identifying and defining what constitutes a critical piece of their system, such as Oracle Federal Financial System or Momentum, to develop an effective system protection plan and achieve certification and accreditation of those systems.
FISMA, or the Federal Information Security Management Act of 2002, mandates senior agency officials to develop comprehensive information security programs designed to safeguard all federal information systems and assets. This requires continuous monitoring as well as risk-based standards such as those found in NIST SP guidelines. FISMA further requires reporting incidents involving unauthorized access of personally identifiable information (PII) assets to US-CERT within specified timeframes.
5. Configuration Management
FISMA security controls necessitate organizations implementing comprehensive cyber programs with numerous components in order to defend data and systems against cyber threats, which have proven themselves extremely difficult. Hackers have shown this by exploiting vulnerabilities rapidly. To assist organizations manage the challenge more easily, guidance documents have become readily available.
One is NIST Special Publication 800-53, which helps organizations select and implement effective cybersecurity controls for federal information systems. Another is Committee on National Security Systems Instruction No. 1253 which emphasizes protecting classified or sensitive data.
Configuration management entails developing and maintaining an overarching set of settings for IT products (hardware, software and firmware) within an IT system (including hardware, software and firmware). The baseline includes parameters pertaining to security posture and functionality of these information systems.
Any unauthorized modifications to configuration settings can trigger an alert that alerts designated organizational personnel or restores them back to their established state. In extreme cases, this response could even halt information system processing.
FedRAMP Tailored allows agencies using low-impact SaaS services to select a smaller set of controls than those specified by NIST SP 800-53, depending on their use and information they place into it. This process of tailoring is explicitly permitted within the scope of NIST SP 800-53 revision 4.
6. Contingency Planning
Pro Tip: It is essential to remember that each framework or regulation has its own set of objectives, making selection difficult. Selecting the ideal framework or regulation for your organization involves considering such factors as industry compliance requirements, organizational goals and risk appetite – undertaking extensive research or seeking expert advice can assist you in making an informed decision.
As per Federal Information Security Management Act (FISMA) regulations, agencies must implement robust information security programs which involve continuous monitoring and risk evaluation. The National Institute of Standards and Technology (NIST) offers guidance documents such as Special Publication 800-53 to help agencies comply with this act, outlining a range of security controls including access control, incident response procedures, configuration management as well as general configuration management practices.
NIST SP 800-53 outlines a risk-based method for selecting controls for an agency’s information systems and assess their effectiveness.
FISMA also mandates that inspectors general inspect each agency’s program and practices, with civilian agencies reporting any security incidents to the U.S. Computer Emergency Readiness Team within specific timeframes.
Any information system containing tax data must also take steps to minimize physical or environmental damage and unauthorized access, such as placing its components at an alternate storage site geographically separated from its primary site in order to reduce vulnerability from attacks from similar threats. It should also create contingency plans to resume essential mission and business functions within an approved Maximum Tolerable Downtime (MTD), protect it from unwarranted disclosure or modification and coordinate development efforts with other elements responsible for related plans.