Information Security Regulatory Compliance and Privacy: FISMA

By Peter H. Gregory

If you are interested in a career in information security, you will need to know about FISMA. The Federal Information Systems Management Act, or FISMA, requires that all U.S. federal government systems meet minimum security standards. Many U.S. states, counties, and cities have also adopted the same level of standards.

NIST SP800‐53 and FIPS‐200

In simplest terms, FISMA requires that U.S. federal government agencies comply with several standards, including NIST (National Institute for Standards and Technologies) Special Publication 800‐53, Security and Privacy Controls for Federal Information Systems and Organizations, and FIPS (Federal Information Processing Standards) Publication 200, Minimum Security Requirements for Federal Information and Information Systems.

Many nongovernment organizations voluntarily comply with the NIST and FIPS standards, because they recognize their value and understand that doing so will increase their security.

Certification and accreditation

Government agencies are required to undergo a process that includes an assessment of an information system and a formal approval process that authorizes the agency to begin (or continue) use of the system. These processes are together known as certification and accreditation, or C&A. The certification part is the assessment of the system against NIST 800‐53, FIPS‐200, and possibly other standards and requirements. The accreditation part is the formal authorization to use the system after the assessment has been completed and analyzed.

New systems are required to undergo C&A, and most systems are required to be recertified periodically, typically every one to three years.

FEDRAMP

Organizations that provide services to the U.S. federal government are also required to comply with NIST 800‐53 and FIPS‐200. Government agencies are required to utilize a process called FEDRAMP (Federal Risk and Authorization Management Program) to assess service providers before they are used. This requirement primarily applies to cloud service providers and other instances of government agencies outsourcing IT infrastructure or applications to service providers.