Federal Information Security Management Act of 2002: Difference between revisions

From Citizendium
Jump to navigation Jump to search
imported>Howard C. Berkowitz
imported>Howard C. Berkowitz
No edit summary
Line 1: Line 1:
Enacted in 2002, the '''Federal Information Security Management Act''' (FISMA), was passed to support the [[E-Government Act of 2002]]. Without [[information security]], it is impossible for government to deliver reliable services through electronic means.
Enacted in 2002, the '''Federal Information Security Management Act''' (FISMA), was passed to support the [[E-Government Act of 2002]]. Without [[information security]], it is impossible for government to deliver reliable services through electronic means.
 
==Framework==
Technical definitions and framework are in [[Federal Information Processing Standard]] (FIPS) [[FIPS PUB 199]], "Standards for the Security Categorization of Federal Information and Information Systems".<ref name=FIPS199>{{citation
| id = FIPS PUB 199
| title = Standards for the Security Categorization of Federal Information and Information Systems
| publisher = Computer Security Division, Information Technology Laboratory, [[National Institute for Standards and Technology]]
| date = February 2004}}</ref>  While the detailed guidance is in additional guidance, FIPS 199 interprets FISMA as having three dimensions of security categorization:
*'''Confidentiality'''
*'''Integrity'''
*'''Availability'''
and matrixes these against ''potential impact'' characterized as low, medium and high:
{| class="wikitable"
|-
! Factor
|-
! Low
! Medium
! High
|-
| Confidentiality
| row 1, cell 2
| row 1, cell 3
|
|-
| Integrity
| row 2, cell 2
| row 2, cell 3
|
|-
| Availability
| row 2, cell 2
| row 2, cell 3
|
|}
==Criticism==  
==Criticism==  
FISMA has been criticized, by legislators and legislative agencies, for being too dependent on manual paper procedures and not enough on specific enforcement technologies and procedures.<ref name=FCW2009-07-01>{{citation
FISMA has been criticized, by legislators and legislative agencies, for being too dependent on manual paper procedures and not enough on specific enforcement technologies and procedures.<ref name=FCW2009-07-01>{{citation

Revision as of 10:40, 12 September 2009

Enacted in 2002, the Federal Information Security Management Act (FISMA), was passed to support the E-Government Act of 2002. Without information security, it is impossible for government to deliver reliable services through electronic means.

Framework

Technical definitions and framework are in Federal Information Processing Standard (FIPS) FIPS PUB 199, "Standards for the Security Categorization of Federal Information and Information Systems".[1] While the detailed guidance is in additional guidance, FIPS 199 interprets FISMA as having three dimensions of security categorization:

  • Confidentiality
  • Integrity
  • Availability

and matrixes these against potential impact characterized as low, medium and high:

Factor
Low Medium High
Confidentiality row 1, cell 2 row 1, cell 3
Integrity row 2, cell 2 row 2, cell 3
Availability row 2, cell 2 row 2, cell 3

Criticism

FISMA has been criticized, by legislators and legislative agencies, for being too dependent on manual paper procedures and not enough on specific enforcement technologies and procedures.[2]

In April 2009, Senator Thomas Carper (D-Delaware)) introduced two pieces of legislation to force more actual compliance and less paper reporting of hypothetical compliance.[3] Hearings also were held in May by Subcommittee on Government Management, Organization and Procurement of the U.S. House Committee on Oversight and Government Reform.[4]

References

  1. Standards for the Security Categorization of Federal Information and Information Systems, Computer Security Division, Information Technology Laboratory, National Institute for Standards and Technology, February 2004, FIPS PUB 199
  2. Ben Bain (1 July 2009), "GAO urges improvements to FISMA: An auditor recommends steps to improve information security at agencies", Federal Computer Week
  3. Ben Bain (28 April 2009), "Carper introduces bills to reform IT procurement, FISMA", Federal Computer Week
  4. Hearing Testimony and Witness list for the Subcommittee Hearing on: "The State of Federal Information Security.", Subcommittee on Government Management, Organization and Procurement, U.S. House Committee on Oversight and Government Reform, 19 May 2009