The Federal Information Security Management Act of 2002 (FISMA)
The Federal Information Security Management Act of 2002 (FISMA) represents something of a milestone in the world of Cyber Security. Prior to 2002, whilst it was clearly advisable for all Federal Agencies to adopt some sort of formal Cyber Security program, it wasn’t until the FISMA act was passed that this became a requirement. It will be interesting to see if similar requirements become legislation for corporate America! One to watch perhaps?
There is some confusion as to whether or not FISMA is in itself a security framework. Whilst it can be regarded as a framework in so much as it provides direction, it does not provide the actual controls and guidelines that agencies must follow in order to fulfil their obligations. Those guidelines are provided by The National Institute of Standards and Technology (NIST).
FISMA requires government agencies to implement an information security program that effectively manages risk. NIST provides the specific guidance for complying with FISMA.
What is interesting about this approach is that it establishes formal guidance that ensures agencies fulfill their cyber security requirements whilst also prioritizing the importance of a ‘Risk Based’ approach, which not only creates a program fit for purpose depending on circumstance but also draws particular focus to ‘cost effective’ security.
More recently in 2011, the US Government confirmed the Federal Risk and Authorization Program (FedRAMP) as further legislative guidance for Government Cloud services. This act includes Government Agencies, Suppliers and Service Providers.
To make life easy, think of FedRAMP as FISMA for the Cloud.
For more details about the specific guidelines for FISMA and FedRAMP use the links below:
- Before you chew through Compliance, consider trying the CIS Controls
- Understanding the Essential Elements of a SecureOps Strategy
- What Will You Choose – Big Brand or the Most Intelligent FIM & Change Control Solution on the Market?
- Why Isn’t There A Remediation Button within Change Tracker Gen7 R2?
- How to Establish a Secure Baseline
- Navigating the Changing Compliance Landscape in 2020 & Beyond
- How to Avoid a Compliance Nightmare
- Why Passing Your Compliance Audit is only the Beginning...
- Automated Compliance with the GCSx Code of Connection
- All Compliance white papers
- PCI DSS 2018: What Does the Future Hold?
- PCI DSS- The Present & Future
- U.S. DoD Announces Vulnerability Disclosure Policy & Kicks-Off Hack the Army Program
- PCI – Going Beyond the Standard: File Integrity Monitoring
- Customer is King, but what do they want when it comes to online Security?
- PCI DSS POS breach: Do you allow 3rd party access to your systems or provide IT services to customers with Governance, Risk Management and Compliance responsibilities?
- All Compliance articles