Presentation is loading. Please wait.

Presentation is loading. Please wait.

Complying With The Federal Information Security Act (FISMA)

Published byCharles Cole Modified over 9 years ago

Similar presentations

Presentation on theme: "Complying With The Federal Information Security Act (FISMA)"— Presentation transcript:

1 Complying With The Federal Information Security Act (FISMA)

2 What is FISMA? FISMA Congress included the FISMA as part of the E-Government Act of FISMA is the primary legislation that governs required security activities associated with the Certification and Accreditation Process. It sets forth specific requirements for security programs as well as an annual reporting requirement. As a DAA you will be responsible for executive oversight on meeting program and reporting requirements as outlined on the following slides.

3 Purpose of FISMA Bringing Standardization to security control selection and assessment through: Providing a consistent framework for protecting information at the federal level. Providing effective management of risks to information security. Providing for the development of adequate controls to protect information and systems. Providing a mechanism for effective oversight of federal security programs.

4 FISMA Requirements Federal agencies are required to establish an integrated, risk-based information security program that adheres to high-level requirements governing how information security is conducted within their agency. Agencies are required to: assess the current level of risk associated with their information and information systems define controls to protect those systems implement policies and procedures to cost-effectively reduce risk periodically test and evaluate those controls train personnel on information security policies and procedures and manage incidents (incident response plan/process).

5 FISMA Dictates… Responsibilities of chief security officers.
Actions required to assess risk. Actions required to mitigate risk. Security awareness training. Testing of security practices and controls. Procedures for responding to security issues. Procedures for business continuity.

6 FISMA and NIST NIST provides guidance on FISMA that is detailed and in-depth NIST guidance includes: Standards for categorizing information and information systems by mission impact. Standards for minimum security requirements for information and information systems. Guidance for selecting appropriate security controls for information systems. Guidance for assessing security controls in information systems and determining security control effectiveness. Guidance for certifying and accrediting information systems.

7 NIST FISMA Related Publications
FIPS Publication 199 (Security Categorization) FIPS Publication 200 (Minimum Security Requirements) NIST Special Publication , Rev 1 (Security Planning) NIST Special Publication , Rev 1 (Risk Management) NIST Special Publication (Certification & Accreditation) NIST Special Publication Rev 3 (Recommended Security Controls) NIST Special Publication A Rev 1(Security Control Assessment) NIST Special Publication (Security Category Mapping)

8 FIPS 199, Standards for the Security Categorization of Federal Information and Information Systems
The standard used by federal agencies to categorize information and information systems based on the objectives of providing appropriate levels of information security according to a range of risk levels Information systems are categorized as either Low, Moderate, or High Risk Systems based on the Confidentiality, Integrity, and Availability security requirements necessary to protect the data/information processed, stored, or transmitted by the information system.

9 FIPS 200, Minimum Security Requirements for Federal Information and Information Systems
Provides minimum information security requirements for information and information systems in each security category defined in FIPS 199 Dictates the requirements to utilize NIST SP for the baseline security control requirements.

10 NIST SP 800-37 Rev 1, Guide to Apply the Risk Management Framework to Federal Information Systems
Establishes a six-step Risk Management Framework for Federal Information Systems: Categorize the Information System Select Security Controls Implement Security Controls Assess Security Controls Authorize the Information System Monitor the Security Controls Applicable to non-national security information systems as defined in the Federal Information Security Management Act of 2002

11 NIST SP 800-18 Rev 1, Guide for Developing Security Plans for Federal Information Systems
Defines the format and content for Security Plans, as required by OMB Circular No. A-130. The Security Plan main functions include: Overviewing the system’s security requirements Describing the controls in place or planned for meeting those requirements Delineating responsibilities and expected behavior of all individuals who access the system Documenting the structured process of planning adequate, cost-effective security protection for the system

12 NIST SP 800-30 Rev 1, Risk Management Guide for Information Technology Systems
Definitional and Practical Guidance regarding concept and practice of managing IT-related risks Risk Management provides balance between operational objectives and economic costs of protective measures better securing of IT systems that store, process, or transmit organizational information; enabling management to make well-informed risk management decisions to justify the expenditures assisting management in authorizing (or accrediting) the IT systems

13 NIST SP 800-34 Rev 1, Contingency Planning Guide For Federal Information Systems
Provides instructions, recommendations, and considerations for government IT contingency planning. Provides specific contingency planning recommendations for seven IT platforms Strategies and techniques common to all systems

14 NIST SP Rev 3, Recommended Security Controls for Federal Information Systems and Organizations The purpose of NIST Special Publication , rev 3 is to provide guidelines for selecting and specifying security controls for information systems… Applicable to all Federal information systems other than those systems designated as national security systems as defined in 44 U.S.C., Section 3542 Broadly developed from a technical perspective to complement similar guidelines issued by agencies and offices operating or exercising control over national security systems Provides guidance to Federal agencies until the publication of FIPS Publication 200, Minimum Security Controls for Federal Information Systems

15 NIST SP 800-53a Rev 1, Guide for Assessing the Security Controls In Federal Information Systems
Provides standardized techniques and procedures to verify the effectiveness of security controls Provides a single baseline verification procedure for each security control in SP , rev 3 Allows additional verification techniques and procedures to be applied at the discretion of the agency

16 NIST SP Vol I and Vol II, Guide for Mapping Types of Information and Information Systems to Security Categories Provides guidelines recommending the types of information and information systems to be included in each category of potential security impact. Assists agencies to map security impact levels in a consistent manner to types of: (i) information (e.g., privacy, medical, proprietary, financial, contractor sensitive, trade secret, investigation); and (ii) information systems (e.g., mission critical, mission support, administrative).

17 SUMMARY Key activities in managing enterprise-level risk—risk resulting from the operation of an information system: Categorize the information system Select set of minimum (baseline) security controls Refine the security control set based on risk assessment Document security controls in system security plan Implement the security controls in the information system Assess the security controls Determine agency-level risk and risk acceptability Authorize information system operation Monitor security controls on a continuous basis

18 QUESTIONS?

19 LARRY CHMIEL Security and Privacy Consulting, LLC

Download ppt "Complying With The Federal Information Security Act (FISMA)"

Similar presentations

Jump to first page NIST 800-30 Risk Management Guide for Information Technology Systems Reference:

Jump to first page NIST Risk Management Guide for Information Technology Systems Reference:
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 4: Effective Integration.

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 4: Effective Integration.
1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.

1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.
IT Security Law for Federal Agencies As of: 30 December 2002.

IT Security Law for Federal Agencies As of: 30 December 2002.
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Presented By: Thelma Ameyaw Security Management TEL2813 4/18/2008Thelma Ameyaw TEL2813.

Presented By: Thelma Ameyaw Security Management TEL2813 4/18/2008Thelma Ameyaw TEL2813.
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
Security Controls – What Works

Security Controls – What Works
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.

NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
Introduction to the State-Level Mitigation 20/20 TM Software for Management of State-Level Hazard Mitigation Planning and Programming A software program.

Introduction to the State-Level Mitigation 20/20 TM Software for Management of State-Level Hazard Mitigation Planning and Programming A software program.
Overarching Roles of Critical Partners In A Project 9:30 – 10:00 Rob Curlee, FMO Joseph Dominque, OCISO Mike Perry, EA.

Overarching Roles of Critical Partners In A Project 9:30 – 10:00 Rob Curlee, FMO Joseph Dominque, OCISO Mike Perry, EA.
Presented by Loren Schwartz, CPA, CISSP, CISA, CIPP

Presented by Loren Schwartz, CPA, CISSP, CISA, CIPP
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Risk Assessment Frameworks

Risk Assessment Frameworks
Risk Management Framework

Risk Management Framework
Federal IT Security Professional - Manager FITSP-M Module 1.

Federal IT Security Professional - Manager FITSP-M Module 1.
1 Dan Steinberg, JD Portland, OR May 4, 2011 Speaking Notes Privacy and Security for Research Repositories Please do not reuse or republish without attribution.

1 Dan Steinberg, JD Portland, OR May 4, 2011 Speaking Notes Privacy and Security for Research Repositories Please do not reuse or republish without attribution.
1 IT Security Awareness, Training and Education Trends Dan Costello Policy Analyst OMB.

1 IT Security Awareness, Training and Education Trends Dan Costello Policy Analyst OMB.

Similar presentations

Ads by Google