FISMA , Standards, Regulations & Compliance

Still the Law: 10 Must-Dos of FISMA

Advice from a Top Government IT Security Expert As efforts to overhaul the Federal Information Security Management Act work their way through Congress, FISMA remains the law of the land and federal agencies must comply with its provisions until new legislation passes both houses and is signed by President Obama.

In Congressional testimony earlier this month, Gregory Wilshusen, information security issues director at the Government Accountability Office, reminded a House panel that FISMA requires each agency to develop, document and implement an agency-wide information security program to provide security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

Specifically, Wilshusen said, FISMA requires information security programs to include, among other things:

1. Periodic assessments of the risk that could result from the compromise of information or information systems.

2. Risk-based policies and procedures that cost-effectively reduce information security risks to an acceptable level.

3. Subordinate plans for providing adequate information security for networks, facilities, and systems or groups of information systems.

4. Security awareness training for agency personnel, including contractors.

5. Periodic testing and evaluation of the effectiveness of information security policies, procedures and practices.

6. A process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies.

7. Procedures for detecting, reporting, and responding to security incidents.

8. Plans and procedures to ensure continuity of operations.

9. An annually updated inventory of major information systems operated by the agency or under its control.

10. An annual report to the White House Office of Management and Budget, selected congressional committees and the comptroller general on the adequacy of its information security policies, procedures, practices, and compliance with requirements.

Also, see 7 Key Elements for Fed Cybersecurity and 5 Intriguing Cyber Facts From Obama's Budget.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.