Federal Information Security Management Act of 2002: Difference between revisions

From Citizendium
Jump to navigation Jump to search
imported>Howard C. Berkowitz
imported>Howard C. Berkowitz
No edit summary
Line 39: Line 39:
|
|
|}
|}
==Status==
On May 19, 2009, the House took testimony at the required 60-day reporting interval after start of FISMA implementation.<ref name=SCGMOP-2009-05-09>{{citation
| date = 19 May 2009
| title = Hearing Testimony and Witness list for the Subcommittee Hearing on: "The State of Federal Information Security."
| publisher = [[Subcommittee on Government Management, Organization and Procurement]],  [[U.S. House Committee on Oversight and Government Reform]]
| url = http://governmentmanagement.oversight.house.gov/story.asp?ID=2442}}</ref> [[Vivek Kundra]], the Federal Chief Information Officer, summarized the overall status: "recent successful breaches at the Federal Aviation Administration and at the vendor that hosts USAjobs.gov demonstrate that the current state of information security at Federal agencies is not what the American people have the right to expect. The Federal Information Security Management Act (FISMA) has been in place for 7 years. It has raised the level of awareness in the agencies and in the country at large, but we are not where we need to be." OMB identified the following key issues:<ref name=Kundra>{{citation | author = Vivek Kundra, Federal Chief Information Officer, [[Office of Management and Budget]]
| title = The State of Federal Information Security
| publisher = [[Subcommittee on Government Management, Organization and Procurement]],  [[U.S. House Committee on Oversight and Government Reform]]
| date = May 19, 2009
| url = http://governmentmanagement.oversight.house.gov/documents/20090518125252.pdf}}</ref>
*The performance information currently collected under FISMA does not fully reflect the security posture of Federal agencies;
*The processes used to collect the information are cumbersome, labor‐intensive, and take time away from meaningful analysis, and;
*The Federal community is focused on compliance, not outcomes
==Criticism==  
==Criticism==  
FISMA has been criticized, by legislators and legislative agencies, for being too dependent on manual paper procedures and not enough on specific enforcement technologies and procedures.<ref name=FCW2009-07-01>{{citation
FISMA has been criticized, by legislators and legislative agencies, for being too dependent on manual paper procedures and not enough on specific enforcement technologies and procedures.<ref name=FCW2009-07-01>{{citation
Line 46: Line 59:
  | url = http://fcw.com/articles/2009/07/01/gao-gives-advice-on-fisma-improvements.aspx}}</ref>   
  | url = http://fcw.com/articles/2009/07/01/gao-gives-advice-on-fisma-improvements.aspx}}</ref>   


In April 2009, Senator [[Thomas Carper]] ([[U.S. Democratic Party|D-]][[Delaware]])) introduced two pieces of legislation to force more actual compliance and less paper reporting of hypothetical compliance.<ref name=FCW2009-08-28>{{citation
In April 2009, Senator [[Thomas Carper]] ([[U.S. Democratic Party|D-]][[Delaware]]) introduced two pieces of legislation to force more actual compliance and less paper reporting of hypothetical compliance.<ref name=FCW2009-08-28>{{citation
  | url = http://www.fcw.com/Articles/2009/04/28/Senate-FISMA-reform.aspx
  | url = http://www.fcw.com/Articles/2009/04/28/Senate-FISMA-reform.aspx
  | title = Carper introduces bills to reform IT procurement, FISMA
  | title = Carper introduces bills to reform IT procurement, FISMA
  | author = Ben Bain
  | author = Ben Bain
  | date = 28 April 2009
  | date = 28 April 2009
  | journal = Federal Computer Week}}</ref>  Hearings also were held in May by [[Subcommittee on Government Management, Organization and Procurement]] of the [[U.S. House Committee on Oversight and Government Reform]].<ref name=SCGMOP-2009-05-09>{{citation
  | journal = Federal Computer Week}}</ref>  Hearings also were held in May by [[Subcommittee on Government Management, Organization and Procurement]] of the [[U.S. House Committee on Oversight and Government Reform]].
| date = 19 May 2009
| title = Hearing Testimony and Witness list for the Subcommittee Hearing on: "The State of Federal Information Security."
| publisher = [[Subcommittee on Government Management, Organization and Procurement]],  [[U.S. House Committee on Oversight and Government Reform]]
| url = http://governmentmanagement.oversight.house.gov/story.asp?ID=2442}}</ref>
==References==
==References==
{{reflist|2}}
{{reflist|2}}

Revision as of 15:15, 13 September 2009

This article is developing and not approved.
Main Article
Discussion
Related Articles  [?]
Bibliography  [?]
External Links  [?]
Citable Version  [?]
Catalogs [?]
 
This editable Main Article is under development and subject to a disclaimer.

Enacted in 2002, the Federal Information Security Management Act (FISMA), was passed to support the E-Government Act of 2002. Without information security, it is impossible for government to deliver reliable services through electronic means. The advent of Internet delivery and cloud computing immensely complicates the security problem.

Framework

Technical definitions and framework are in Federal Information Processing Standard (FIPS) FIPS PUB 199, "Standards for the Security Categorization of Federal Information and Information Systems".[1] While the detailed guidance is in additional guidance, FIPS 199 interprets FISMA as having three dimensions of security categorization:

and matrixes these against potential impact characterized as low, medium and high:

Factor
Low Medium High
Confidentiality row 1, cell 2 row 1, cell 3
Integrity row 2, cell 2 row 2, cell 3
Availability row 2, cell 2 row 2, cell 3

Status

On May 19, 2009, the House took testimony at the required 60-day reporting interval after start of FISMA implementation.[2] Vivek Kundra, the Federal Chief Information Officer, summarized the overall status: "recent successful breaches at the Federal Aviation Administration and at the vendor that hosts USAjobs.gov demonstrate that the current state of information security at Federal agencies is not what the American people have the right to expect. The Federal Information Security Management Act (FISMA) has been in place for 7 years. It has raised the level of awareness in the agencies and in the country at large, but we are not where we need to be." OMB identified the following key issues:[3]

  • The performance information currently collected under FISMA does not fully reflect the security posture of Federal agencies;
  • The processes used to collect the information are cumbersome, labor‐intensive, and take time away from meaningful analysis, and;
  • The Federal community is focused on compliance, not outcomes

Criticism

FISMA has been criticized, by legislators and legislative agencies, for being too dependent on manual paper procedures and not enough on specific enforcement technologies and procedures.[4]

In April 2009, Senator Thomas Carper (D-Delaware) introduced two pieces of legislation to force more actual compliance and less paper reporting of hypothetical compliance.[5] Hearings also were held in May by Subcommittee on Government Management, Organization and Procurement of the U.S. House Committee on Oversight and Government Reform.

References