1 (800) 329-9691
Watch Demo
The Federal Information Security Management Act of 2002 ("FISMA", 44 U.S.C. § 3541, et seq.) is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002 (Pub.L. 107-347, 116 Stat. 2899). The Act was meant to bolster computer and network security within the Federal Government and affiliated parties (such as government contractors) by mandating yearly audits. FISMA has brought attention within the Federal Government to cyber security, which had previously been much neglected. As of February 2005, many government agencies received extremely poor marks on the official report card, with an average of 67.3% for 2004, an improvement of only 2.3 percentage points over 2003.[1] This shows a marginal increase in how federal agencies prioritize cyber security, but experts warn that this system of measurement is misleading. Many argue that in actual implementation across Federal departments and agencies, FISMA measures the wrong things.[citation needed] Thus, it is entirely possible that an agency with a high grade can be less secure than an agency with a lower grade, and a high grade is no guarantee of actual security. Despite its value for increasing awareness and bringing attention to such an important issue, there are some who feel that FISMA is fatally flawed and will never get Federal information systems, networks and information to the point where they are safe from those who wish to do them harm. Those detractors are correct to a degree, namely that FISMA alone is not the solution to Federal information security challenges.
FISMA imposes a mandatory set of processes that must be followed for all information systems used or operated by a US Government federal agency or by a contractor or other organization on behalf of a US Government agency. These processes must follow a combination of Federal Information Processing standards (FIPS) documents, the special publications SP-800 series issued by NIST, and other legislation pertinent to federal information systems, such as the Privacy Act of 1974 and the Health Insurance Portability and Accountability Act. Unfortunately, following these mandates only results in "compliance" and not "security."
Determine the Boundaries of the System: The first step is determining what constitutes the "information system" in question. There is not a direct mapping of computers to information system; rather an information system can be a collection of individual computers put to a common purpose and managed by the same system owner. NIST SP 800-18 revision 1 provides guidance on determining system boundaries. In actual practice, no two agencies apply the guidance the same way, and the Office of Management and Budget has yet to provide useful clarification. Moreover, no two agency inspectors general evaluate the definition of system boundaries the same way either. Therefore, no two departments or agencies are applying the same approaches to defining systems, applications, interconnections or controls.
Source: (www.en.wikipedia.org) 2007