Still the Law: 10 Must-Dos of FISMAAdvice from a Top Government IT Security Expert As efforts to overhaul the Federal Information Security Management Act work their way through Congress, FISMA remains the law of the land and federal agencies must comply with its provisions until new legislation passes both houses and is signed by President Obama.
In Congressional testimony earlier this month, Gregory Wilshusen, information security issues director at the Government Accountability Office, reminded a House panel that FISMA requires each agency to develop, document and implement an agency-wide information security program to provide security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
Specifically, Wilshusen said, FISMA requires information security programs to include, among other things:
1. Periodic assessments of the risk that could result from the compromise of information or information systems.
2. Risk-based policies and procedures that cost-effectively reduce information security risks to an acceptable level.
3. Subordinate plans for providing adequate information security for networks, facilities, and systems or groups of information systems.
4. Security awareness training for agency personnel, including contractors.
5. Periodic testing and evaluation of the effectiveness of information security policies, procedures and practices.
6. A process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies.
7. Procedures for detecting, reporting, and responding to security incidents.
8. Plans and procedures to ensure continuity of operations.
9. An annually updated inventory of major information systems operated by the agency or under its control.
10. An annual report to the White House Office of Management and Budget, selected congressional committees and the comptroller general on the adequacy of its information security policies, procedures, practices, and compliance with requirements.