Federal Information Security Management Act of 2002

The Federal Information Security Management Act of 2002 (“FISMA“, 44 U.S.C. § 3541, et seq.) is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002 (Pub.L. 107-347, 116 Stat. 2899). The Act was meant to bolster computer and network security within the Federal Government and affiliated parties (such as government contractors) by mandating yearly audits.

FISMA has brought attention within the Federal Government to cybersecurity, which had previously been much neglected. As of February 2005, many government agencies received extremely poor marks on the official report card, with an average of 67.3% for 2004, an improvement of only 2.3 percentage points over 2003. This shows a marginal increase in how federal agencies prioritize cybersecurity, but experts warn that this system of measurement is misleading. Many argue that in actual implementation across Federal departments and agencies, FISMA measures the wrong things. Thus, it is entirely possible that an agency with a high grade can be less secure than an agency with a lower grade, and a high grade is no guarantee of actual security. Despite its value for increasing awareness and bringing attention to such an important issue, there are some who feel that FISMA is fatally flawed and will never get Federal information systems, networks and information to the point where they are safe from those who wish to do them harm. Those detractors are correct to a degree, namely that FISMA alone is not the solution to Federal information security challenges.

ComplianceDocManager supplies regulatory content for FISMA.

Compliance Process for an Information System

  • Determine the Boundaries of a System
  • Determine the Information Types in
  • System and Perform FIPS-199 Categorization
  • Document the System (ComplianceDocManager will do it)
  • Performing Risk Assesment
  • Select and Implement a Set of Security Controls for
  • System
  • Certification of System
  • Accreditaion of System
  • Continuous Monitoring