Federal Information Security Management Act of 2002

Citation: Tit. III, E-Government Act of 2002, Pub. L. 107-347 (Dec. 17, 2002) (superseding Tit. X, Homeland Security Act of 2002, Pub. L. 107-296 (Nov. 25, 2002)), codified at 44 U.S.C. § 3541 et seq.

Overview
The E-Government Act passed by the 107th Congress and signed into law by the President in December 2002 recognized the importance of information security to the economic and national security interests of the United States. Title III of the E-Government Act, known as the Federal Information Security Management Act of 2002 (FISMA), requires each federal agency to provide information security protections for agency information and information systems.

FISMA requires each agency to develop, document, and implement an agencywide information security program for the information and systems that support the operations and assets of the agency, using a risk-based approach to information security management. Such a program includes assessing risks; developing and implementing security plans, policies, and procedures; providing security awareness and specialized training; testing and evaluating the effectiveness of controls; planning, implementing, evaluating, and documenting remedial actions to address information security deficiencies; and ensuring continuity of operations.

Security Framework
The Act establishes a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support federal operations and assets, and provides for development and maintenance of minimum controls required to protect federal information and information systems.

FISMA states that effective information security programs include:


 * Periodic assessments of risk, including the likelihood and magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the organization;
 * Policies and procedures that are based on risk assessments, cost-effectively reduce information security risks to an acceptable level, and address information security throughout the life cycle of each organizational information system;
 * Plans for providing adequate information security for networks, facilities, information systems, or groups of information systems, as appropriate;
 * Security awareness training to inform personnel (including contractors and other users of information systems that support the operations and assets of the organization) of the information security risks associated with their activities and their responsibilities in complying with organizational policies and procedures designed to reduce these risks;
 * Periodic testing and evaluation of the effectiveness of information security policies, procedures, practices, and security controls to be performed with a frequency depending on risk, but no less than annually;
 * A process for planning, implementing, evaluating, and documenting remedial actions to address any deficiencies in the information security policies, procedures, and practices of the organization;
 * Procedures for detecting, reporting, and responding to security incidents; and
 * Plans and procedures for continuity of operations for information systems that support the operations and assets of the organization.

Agency Responsibilities
FISMA assigns specific policy and oversight responsibilities to the Office of Management and Budget (OMB), technical guidance responsibilities to the National Institute of Standards and Technology (NIST), implementation responsibilities to all agencies, and an operational assistance role to the Department of Homeland Security (DHS). FISMA requires the head of each agency to implement policies and procedures to cost-effectively reduce information technology security risks to an acceptable level. Additionally, as part of its oversight role, OMB has issued several guidance memoranda on how agencies should safeguard sensitive information, including a memorandum addressing FISMA oversight and reporting, and which provided a checklist developed by NIST concerning protection of remotely accessed information, and that recommended that agencies, among other things, encrypt all data on mobile device]s and use a “time-out” function for [[remote access and mobile devices.

FISMA requires agencies to comply with the information security standards developed by NIST. The Act also requires agency operational program officials, Chief Information Officers (CIOs), and Inspectors General (IGs) to conduct, annually, an independent evaluation of their security programs which includes an assessment of the effectiveness of the program, plans, and practices and compliance with FISMA requirements. The evaluations are forwarded to the Director of the Office of Management and Budget, for an annual report to Congress.