NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage
Search CSRC:

Frequently Asked Questions

FISMA FAQs || Continuous Monitoring FAQs
 

FISMA FAQs:

1. What is FISMA?

FISMA is the Federal Information Security Management Act of 2002. It was passed as Title III of the E-Government Act (Public Law 107-347) in December 2002. FISMA requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.


2. What is NIST's role in FISMA?

FISMA reaffirmed NISTís role of developing information security standards (Federal Information Processing Standards) and guidelines (Special Publications in the 800-series) for non-national security federal information systems and assigned NIST some specific responsibilities, including the development of:

  • Standards to be used by Federal agencies to categorize information and information systems based on the objectives of providing appropriate levels of information security according to a range of risk levels;
  • Guidelines recommending the types of information and information systems to be included in each category; and
  • Minimum information security requirements (management, operational, and technical security controls) for information and information systems in each such category.

3. What is the FISMA Implementation Project?

The FISMA Implementation Project was established in January 2003 to produce several key security standards and guidelines required by the FISMA legislation. As a key element of the FISMA Implementation Project, NIST also developed additional guidance (in the form of Special Publications) and a Risk Management Framework which effectively integrates all of NISTís FISMA-related security standards and guidelines in order to promote the development of comprehensive, risk-based, and balanced information security programs by federal agencies. The ultimate objective of the Risk Management Framework and the associated publications is to enable agencies to conduct the day-to-day operations of the agency and to accomplish the agency's stated missions with adequate security, or security commensurate with risk, including the magnitude of harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information. The Risk Management Framework and the associated publications are available at: http://csrc.nist.gov/publications/PubsSPs.html.


4. What are some examples of FISMA publications?

  • FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems;
  • FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems;
  • NIST Special Publication 800-18, Revision 1, Guide for Developing Security Plans for Federal Information Systems;
  • NIST Special Publication 800-30, Revision 1, Risk Assessment Guideline (October 2008);
  • NIST Special Publication 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach;
  • NIST Special Publication 800-39, Managing Risk from Information Systems: An Organizational Perspective (DRAFT);
  • NIST Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations;
  • NIST Special Publication 800-53A Revision 1, Guide for Assessing the Security Controls in Federal Information Systems;
  • NIST Special Publication 800-59, Guide for Identifying an Information System as a National Security System; and
  • NIST Special Publication 800-60 Revision 1, Guide for Mapping Types of Information and Information Systems to Security Categories.

5. How does NIST ensure that its FISMA security standards and guidelines are technically correct and implementable by federal agencies?

NIST employs a comprehensive public review process on every FISMA standard and guideline to ensure the security standards and guidelines are of the highest qualityóthat is, technically correct and implementable. NIST actively solicits and encourages individuals and organizations in the public and private sectors to provide feedback on the content of each of the FISMA publications. In most cases, the FISMA security publications go through three full public vetting cycles providing an opportunity for individuals and organizations to actively participate in the development of the standards and guidelines. NIST also works closely with owners, operators, and administrators of information systems within NIST to obtain real-time feedback on the implementability of the specific safeguards and countermeasures (i.e., security controls) being proposed for federal information systems. Finally, NIST has an extensive outreach program that maintains close contact with security professionals at all levels to ensure important feedback can be incorporated into future updates of the security standards and guidelines. The combination of an extensive public review process for standards and guideline development, the experience in prototyping and implementing the safeguards and countermeasures in the information systems owned and operated by NIST, and the aggressive outreach program that keeps NIST in close contact with its constituents, produces high-quality, widely accepted security standards and guidelines that are not only used by the federal government, but are frequently adopted on a voluntary basis by many organizations in the private sector.


6. Can NIST prioritize its recommended security controls to establish which controls agencies should deploy first?

Prioritizing security controls in the baselines recommended by NIST would place emphasis on selected security controls at the expense of other, equally important controls. In addition, providing public prioritization of baseline security requirements and controls would give threat agents and adversaries important information which would be damaging to federal agencies in giving visibility into their protection strategies. The approach recommended by NIST, centered around the Risk Management Framework, provides federal agencies with a disciplined, structured, and flexible process to select appropriate security controls for their information systems, a methodology to determine the effectiveness of those controls, and visibility into the residual risks to the organizationís operations and assets, individuals, other organizations (partnering with the organization), and the Nation. The deployment of security controls uses a defense-in-depth approach which combines management, operational, and technical safeguards and countermeasures to address all aspects of the threat space. The balanced approach to control selection and deployment recognizes that technology alone cannot protect federal information systems. Federal agencies require a holistic approach to protecting critical missions and business functions which includes people, processes, and technology working together in a complementary and mutually reinforcing manner.


7. Is FISMA compliance mostly a paperwork exercise?

No. FISMA compliance requires the thoughtful selection and employment of stringent security controls for federal information systems using a risk-based approach to protect critical federal missions and business functions. In addition to technology-based controls such as access control, identification and authentication, audit and accountability, encryption, and system and communications protection, there are also management and operational controls that address important security areas such physical security, personnel security, continuity of operations, awareness and training, incident response, security planning, system integrity, and acquisition. Developing sound security policies and procedures is a critical aspect of building an effective information security program. Security policies, while administrative in nature, demonstrate in clear and unequivocal teams, senior managementís commitment to information security and protecting the organizationís operations (mission, functions, image, and reputation) and assets, individuals, other organizations, and the Nation. Security procedures provide the necessary details for the organizationís security professionals to effectively implement the security policies. Effective policies and procedures, in conjunction with technology-based security controls, provide a defense-in-depth and holistic approach to information security and managing organizational risk from information systems. In addition to the above, there are specific management controls that require an assessment of the controls in organizational information systems to determine overall effectiveness. The determination of security control effectiveness provides critical information to senior leaders/executives needed to make credible risk-based decisions for the authorization (accreditation) of information systems.


8. Are there automated tools to support FISMA implementation and efficient and affordable generation of certification and accreditation evidence?

Yes. There are many emerging automated support tools that can help federal agencies implement and assess security controls necessary for FISMA compliance. Many of the technical security controls in NIST Special Publication 800-53 that have security configuration settings can benefit from the automated testing procedures being developed under the multi-agency Information Security Automation Program using the Security Content Automation Protocol. Automated support tools for the management and reporting of FISMA-related information are also available under the OMB Line of Business initiative.


9. Who determines the adequacy of FISMA compliance?

Many organizations and individuals have a role in determining FISMA compliance. Congress establishes top-level security requirements for federal agencies and support contractors in the FISMA legislation. NIST develops the security standards and guidelines necessary for FISMA implementation including a risk-based approach for selecting, implementing, and assessing security controls for federal information systems and for determining risk to organizational operations and assets, individuals, other organizations, and the Nation. Agency heads, in coordination with their Chief Information Officers and Senior Agency Information Security Officers report the security status of their information systems to OMB in accordance with annual FISMA reporting guidance. Inspectors General provide an independent assessment of the security status of federal information systems, also reporting results to OMB annually.


10. Is the Federal Information Security Management Act (FISMA) mentioned in the Federal Acquisition Regulations?

Yes. There is a strong reference to FISMA in the FAR. The FAR link is provided at: http://www.acquisition.gov/far. Page 7.1-2, FAR Section 7.103 states:

"Agency-head responsibilities--- The agency head or a designee shall prescribe procedures for ensuring that agency planners on information technology acquisitions comply with the information technology security requirements in the Federal Information Security Management Act (44 U.S.C. 3544), OMB's implementing policies including Appendix III of OMB Circular A-130, and guidance and standards from the Department of Commerce's National Institute of Standards and Technology."

Therefore, the FAR points to FISMA, OMB Circular A-130, and the security standards and guidance developed by the National Institute of Standards and Technology at the Department of Commerce. The NIST security standards and guidance can be found on the Computer Security Division web site at http://csrc.nist.gov with specific information on the FISMA Implementation Project webpage.


Back to Top


CONTINUOUS MONITORING FAQs:

"The Continuous Monitoring FAQs are being updated based on the release of OMB Memo 11-33, FY 2011 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, September 14, 2011 (http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-33.pdf), along with the imminent release of NIST Special Publication 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations."


Back to Top