Federal Information Security Management Act of 2002, Tit. III, E-Government Act of 2002, Pub. L. No. 107-296 (Tit. X), 116 Stat. 2259; Pub. L. No. 107-347 (Tit. III), 116 Stat. 2946. 44 U.S.C. Ch. 35, Subchapters II and III, codified at 40 U.S.C. §11331, §§15 U.S.C. 278g-3 & 4 (full-text).
The E-Government Act of 2002 recognized the importance of information security to the economic and national security interests of the United States. Title III of the E-Government Act, known as the "Federal Information Security Management Act of 2002" ("FISMA") was enacted to "provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets." It requires each federal agency to provide information security is the principal law governing the federal government’s information security program. FISMA protects agency information and information systems.
FISMA requires each agency to develop, document, and implement an agencywide information security program
|“||providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of (i) information collected or maintained by or on behalf of the agency; and (ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency.||”|
Such a program includes assessing risks; developing and implementing security plans, policies, and procedures; providing security awareness and specialized training; testing and evaluating the effectiveness of controls; planning, implementing, evaluating, and documenting remedial actions to address information security deficiencies; and ensuring continuity of operations.
The Act establishes a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support federal operations and assets, and provides for development and maintenance of minimum controls required to protect federal information and information systems.
FISMA states that effective information security programs include:
- Periodic assessments of risk, including the likelihood and magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the organization;
- Policies and procedures that are based on risk assessments, cost-effectively reduce information security risks to an acceptable level, and address information security throughout the life cycle of each organizational information system;
- Plans for providing adequate information security for networks, facilities, information systems, or groups of information systems, as appropriate;
- Security awareness training to inform personnel (including contractors and other users of information systems that support the operations and assets of the organization) of the information security risks associated with their activities and their responsibilities in complying with organizational policies and procedures designed to reduce these risks;
- Periodic testing and evaluation of the effectiveness of information security policies, procedures, practices, and security controls to be performed with a frequency depending on risk, but no less than annually;
- A process for planning, implementing, evaluating, and documenting remedial actions to address any deficiencies in the information security policies, procedures, and practices of the organization;
- Procedures for detecting, reporting, and responding to security incidents; and
- Plans and procedures for continuity of operations for information systems that support the operations and assets of the organization.
FISMA assigns specific policy and oversight responsibilities to the Office of Management and Budget (OMB), technical guidance responsibilities to the National Institute of Standards and Technology (NIST), implementation responsibilities to all agencies, and an operational assistance role to the Department of Homeland Security (DHS).
Office of Management and Budget
- developing and overseeing the implementation of policies, principles, standards, and guidelines on information security;
- requiring agencies to identify and provide information security protections commensurate with the risk and magnitude of harm resulting from the unauthorized access, use, disclosure, disruption, or destruction of information collected or maintained by or on behalf of an agency, or information or information systems used or operated by an agency, or by a contractor or other organization on behalf of an agency;
- overseeing agency compliance with FISMA to enforce accountability; and
- reviewing, at least annually, and approving or disapproving agency information security programs.
Each year, OMB provides instructions to federal agencies regarding FISMA reporting. In this guidance, for example, OMB has stated that agencies are permitted to utilize private sector data services, provided that appropriate security controls are implemented and, more generally, that agencies ensure that their information security programs apply to all organizations that possess or use federal information, including contractors.
As part of its oversight role, OMB has issued several guidance memoranda on how agencies should safeguard sensitive information, including a memorandum addressing FISMA oversight and reporting, and which provided a checklist developed by NIST concerning protection of remotely accessed information, and that recommended that agencies, among other things, encrypt all data on mobile devices and use a "time-out" function for remote access and mobile devices.
NIST is responsible for developing standards and guidelines for providing adequate information security for all agency operations and assets, except for national security systems. These standards and guidelines must include, at a minimum,
- standards to be used by all agencies to categorize all of their information and information systems based on the objectives of providing appropriate levels of information security, according to a range of risk levels;
- guidelines recommending the types of information and information systems to be included in each category; and
- minimum information security requirements for information and information systems in each category.
- Federal Information Processing Standard (FIPS) 199, "Standards for Security Categorization of Federal Information and Information Systems."
- FIPS 200, "Minimum Security Requirements for Federal Information and Information Systems."
- NIST Special Publication 800-37, Rev. 1, "Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach."
- NIST Special Publication 800-53, "Recommended Security Controls for Federal Information Systems and Organizations."
FISMA limits NIST to developing, in conjunction with the Department of Defense and the National Security Agency, guidelines for agencies on identifying an information system as a national security system, and for ensuring that NIST standards and guidelines are complementary with standards and guidelines developed for national security systems.
FISMA requires each agency, including agencies with national security systems, to develop, document, and implement an agencywide information security program to provide security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
Specifically, FISMA requires information security programs to include, among other things:
- periodic assessments of the risk and magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information or information systems;
- risk-based policies and procedures that cost-effectively reduce information security risks to an acceptable level and ensure that information security is addressed throughout the life cycle of each information system;
- subordinate plans for providing adequate information security for networks, facilities, and systems or groups of information systems, as appropriate;
- security awareness training for agency personnel, including contractors and other users of information systems that support the operations and assets of the agency;
- periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices, performed with a frequency depending on risk, but no less than annually, and that includes testing of management, operational, and technical controls for every system identified in the agency's required inventory of major information systems;
- a process for planning, implementing, evaluating, and documenting remedial actions to address any deficiencies in the information security policies, procedures, and practices of the agency;
- procedures for detecting, reporting, and responding to security incidents; and
- plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency.
In addition, agencies must produce an annually updated inventory of major information systems (including major national security systems) operated by the agency or under its control, which includes an identification of the interfaces between each system and all other systems or networks, including those not operated by or under the control of the agency.
FISMA also requires each agency to report annually to OMB, selected congressional committees, and the Comptroller General on the adequacy of its information security policies, procedures, practices, and compliance with requirements. In addition, agency heads are required to report annually the results of their independent evaluations to OMB, except to the extent that an evaluation pertains to a national security system; then only a summary and assessment of that portion of the evaluation needs to be reported to OMB.
National security vs. Non-national security systems
These responsibilities do not, however, apply equally to all agency information systems. FISMA differs in its treatment of national security and non-national security systems. While FISMA requires each federal agency to manage its information security risks through its agencywide information security program, the law recognizes a long-standing division between requirements for national security and non-national security systems that limits civilian management and oversight of information systems supporting military and intelligence activities.
FISMA recognizes the division between national security systems and non-national security systems in two ways. First, to ensure compliance with applicable authorities, the law requires agencies using national security systems to implement information security policies and practices as required by standards and guidelines for national security systems in addition to the requirements of FISMA.
Second, the responsibilities assigned by FISMA to OMB and NIST are curtailed. OMB's responsibilities are reduced with regard to national security systems to oversight and reporting to Congress on agency compliance with FISMA. OMB’s annual review and approval or disapproval of agency information security programs, for example, does not include national security systems.
Similarly, according to FISMA, NIST-developed standards, which are mandatory for non-national security systems, do not apply to national security systems. FISMA limits NIST to developing, in conjunction with DOD and the National Security Agency (NSA), guidelines for agencies on identifying an information system as a national security system, and for ensuring that NIST standards and guidelines are complementary with standards and guidelines developed for national security systems. FISMA also requires NIST to consult with other agencies to ensure use of appropriate information security policies, procedures, and techniques in order to improve information security and avoid unnecessary and costly duplication of effort.
In light of this division between national security and non-national security systems, NIST is responsible for developing standards and guidance for non-national security information systems. For example, NIST issues mandatory Federal Information Processing Standards (FIPS) and special publications that provide guidance for information systems security] for non-national security systems in federal agencies.
For national security systems, National Security Directive 42 established CNSS, an organization chaired by the Department of Defense, to, among other things, issue policy directives and instructions that provide mandatory information security requirements for national security systems. In addition, the defense and intelligence communities develop implementing instructions and may add additional requirements where needed.
FISMA provides a further exception to compliance with NIST standards. It permits an agency to use more stringent information security standards if it certifies that its standards are at least as stringent as the NIST standards and are otherwise consistent with policies and guidelines issued under FISMA. It is on the basis of this authority that the Department of Defense establishes information security standards for all of its systems (national security and non-national security systems) that are more stringent than the standards required for protecting non-national security systems under FISMA. For example, the DOD directive establishing the DOD Information Assurance Certification and Accreditation Process (DIACAP) for authorizing the operation of DOD information systems requires annual certification that the DIACAP process is current and more stringent than NIST standards under FISMA.
The Act also requires agency operational program officials, Chief Information Officers (CIOs), and Inspectors General (IGs) to conduct, annually, an independent evaluation of their security programs which includes an assessment of the effectiveness of the program, plans, and practices and compliance with FISMA requirements. The evaluations are forwarded to the Director of the Office of Management and Budget, for an annual report to Congress.
For agencies without an inspector general, evaluations of non-national security systems must be performed by an independent external auditor. Evaluations related to national security systems are to be performed by an entity designated by the agency head.
Application for cybersecurity
A commonly expressed concern about FISMA is that it is awkward and inefficient in providing adequate cybersecurity to government IT systems. The causes cited have varied but common themes have included inadequate resources, a focus on procedure and reporting rather than operational security, lack of widely accepted cybersecurity metrics, variations in agency interpretation of the mandates in the Act, and insufficient means to enforce compliance both within and across agencies.
- Pub. L. No. 107-347.
- See Computer Security: A Summary of Selected Federal Laws, Executive Orders, and Presidential Directives.
- 44 U.S.C. §3541.
- Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality, and availability. Id. §3542.
- Id. §3544(a)(1)(A).
- The GAO has noted that many federal agencies have not implemented security requirements for most of their systems, and must meet new requirements under FISMA. See Information Security: Continued Efforts Needed to Fully Implement Statutory Requirements.
- 40 U.S.C. §11331.
- The differing treatment of national security and non-national security systems reflects a long-standing division in laws that limit civilian management oversight of military and intelligence information systems by excluding national security systems from the "information technology" overseen by the civilian agencies. OMB authority over such systems is limited in FISMA (44 U.S.C. §3543(b)), in the Paperwork Reduction Act of 1980 (44 U.S.C. §3502(9)), and in the Clinger-Cohen Act (40 U.S.C. §11103). NIST authority is limited by 15 U.S.C. §278g-3(a)(2), as amended by FISMA, but also under the prior language of the Computer Security Act of 1987 (Pub. L. No. 100-235, Jan. 8, 1988). These limitations are variations of a provision, known as the "Warner Amendment," added to the DOD Authorization Act of 1982, which exempted DOD procurement of national security systems from General Services Administration oversight under the Brooks Act (then-40 U.S.C. §759). Pub. L. No. 97-86, title IX, §908(a)(1), Dec. 1, 1981; 10 U.S.C. §2315.
- In addition to placing limitations on OMB’s authority over national security systems, FISMA permits further independence from OMB oversight for Department of Defense and Central Intelligence Agency systems where loss of security would have a debilitating impact on the mission of either agency, 44 U.S.C. §3543(c). More generally, FISMA also states that it does not affect authorities otherwise granted an agency with regard to national security systems (as well as requirements under the Atomic Energy Act of 1954), Sec. 301(c), Pub. L. No. 107-347 (116 Stat. §2955); 44 U.S.C. §3501 note.
- National Security Directive 42, National Policy for the Security of National Security Telecommunications and Information Systems (July 5, 1990).
- See generally Information Security: Agencies Report Progress, but Sensitive Data Remain at Risk: Hearings Before the Subcomms. of the House Comm. on Oversight and Government Reform, 110th Cong. 6-8 (2007) (statement of Gregory C. Wilshusen, Director, Information Security Issues, Government Accountability Office) (full-text).