What is FISMA? What are the Pros and Cons?

Written By Todd Mitchell

The Federal Information Security Management Act (FISMA) requires federal agencies to implement information security plans to protect sensitive data. To do this they created the National Institute of Standards and Technology (NIST) to establish minimum requirements for information security plans and procedures. This is free to use in the private sector and has become the industry standard for most cybersecurity. Cybersecurity4biz uses this Risk-based approach in the process to secure your data. A risk-based approach means you look at the risk of doing or not doing each action and decide which is best for your organization.

The objective of the FISMA is to provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets (FISMA, 2002). Policy-makers are using this tool to establish a risk-based information security system that is consistent, comparable, and repeatable (US NIST, 2011).

It has been suggested that the controls for compliance do not meet actual security needs and may be detrimental to IT security. I do not agree with this, in fact, NIST SP 800-53 specifically addresses the need to tailor controls to meet the organization or system’s needs (NIST, 2013). The standard control list provides a detailed and testable way to verify compliance.

FISMA mandates that every organization have a CIO and that they be held accountable for compliance with security standards (Perera, 2013). The focus being placed on this by all federal agencies is improving the cybersecurity posture. Using the Risk Managed approach will enable a balance of compliance and operational needs that allows mission effectiveness.

References

Federal Information Security Management Act. (2002). Retrieved from http://csrc.nist.gov/drivers/documents/FISMA-final.pdf

National Institute of Standards and Technology. (2011, March 1). Federal Information Security Management Act (FISMA) implementation project. Retrieved from http://csrc.nist.gov/groups/SMA/fisma/index.html

National Institute of Standards and Technology. (2013). Recommended security controls for federal information systems and organizations. Retrieved from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

Perera, D. (2013). House oversight and government reform approves FISMA amendments act Questex Media Group, LLC Delaware. Retrieved from http://ezproxy.umuc.edu/login?url=http://search.ebscohost.com.ezproxy.umuc.edu/login.aspx?direct=true&db=edsgbe&AN=edsgcl.329628161&site=eds-live&scope=site

Todd Mitchell
Previous

How much does data loss cost a business owner?
Next

What is the Ethical Dilemma Facing Cybersecurity Policy?