FISMA is the Federal Information Security Management Act of 2002. The goal of FISMA is to encourage and to hold government agencies in securing their data and information. Additionally, it encourages organizations that do business with the government to secure their information as well.
According to NIST SP 800-39, Managing Information Security Risk, defines risk management as “the program and supporting processes to manage information security risk to organizational operations (including mission, functions, and reputation), organizational assets, individuals, other organizations, and the Nation”. To integrate the risk management process throughout an organization and to address its mission and business concerns, a three-tiered approach is employed.
The process is carried out across three tiers with the objective of continuous improvement in the organization’s risk-related activities, with effective communication among tiers and stakeholders.
Figure 1 illustrates the three-tiered approach to risk management (NIST 800-53 r4 Summary).
In summary NIST have requirements for assessment, enforcement, and compliance regarding how data and information is stored, transmitted, and shared. This forces organizations to test and correct for threats in cyber infrastructure architecture by continuously monitoring, testing, securing, and correcting for cyber threats.
If a government agency fails in meeting these requirements they have be punished by reduced budgets and media exposure. Private and public organizations that do business with the government may have their contracts limited, revoked, or suspended. Furthermore, gross failures in complying with the rules may permanently disqualify organizations from doing business with the government.
Organizations spend considerable time, effort, and money buying and implementing security products and policies in an effort to meet these compliance requirements. Agencies test their security polices by conducting internal and external penetration scans, hire auditors to review their policies, and implement access control standards and other security counter-measures as described in a variety of different NIST publications.
According to an article posted on net-security.org dated on September 23rd, 2013 discussed if FISMA was helping or hurting cyber security efforts for the government. In my opinion, the article concludes what I think most people already believe, that compliance increases costs, makes implementing technology and strategy difficult, and does very little in the real world to increase or raise cyber security.
I believe there needs to be a fundamental shift away from compliance monitoring to continuous monitoring, shortening the attacker’s free time, reducing the kill chain, and detecting attacks.
References:
Federal cyber security pros lack confidence in FISMA. (n.d.). Federal cyber security pros lack confidence in FISMA. Retrieved June 15, 2014, from http://www.net-security.org/secworld.php?id=15627Diwakar, A. (2013, July 30). Covert Operations: Kill
Chain Actions using Security Analytics. Dr Chaos RSS. Retrieved June 15, 2014, from http://www.drchaos.com/covert-operations-kill-chain-actions-using-security-analytics/
