FISMA
The Federal Information Security Modernization Act of 2014 (FISMA) highlights the importance of information security to the economic and national security interests of the United States. FISMA requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
FISMA has brought attention within the federal government to cybersecurity and explicitly emphasized the need for cost-effective, risk-based security programs. FISMA requires Inspectors General, as well as agency program officials and Chief Information Officers, to conduct annual reviews of the agency's information security program and report the results to the Office of Management and Budget (OMB). OMB uses these data to assist in its oversight responsibilities and to prepare an annual report to Congress on agency compliance with the act.
NIST FISMA Guidance
To produce security standards and guidelines for FISMA, the National Institute of Standards and Technology (NIST) established the FISMA Implementation Project in 2003. The project aims to support the implementation of and compliance with FISMA standards. Per FISMA, an effective information security program should include, among other things,
- periodic assessments of risk, including the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the organization
- policies and procedures that are based on risk assessments, cost-effectively reduce information security risks to an acceptable level, and ensure that information security is addressed throughout the life cycle of each organizational information system
- security awareness training to inform personnel of information security risks
- periodic testing and evaluation of the effectiveness of information security policies, procedures, practices, and security controls
- a process for planning, implementing, evaluating, and documenting remedial actions to address any deficiencies
- procedures for detecting, reporting, and responding to security incidents
- plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the organization
In support of FISMA, OMB requires executive agencies within the federal government to
- plan for security
- ensure that appropriate officials are assigned security responsibility
- periodically review the security controls in their information systems
- authorize system processing prior to operations and periodically thereafter
A key element of the FISMA Implementation Project is NIST's integrated Risk Management Framework, which effectively brings together all of the FISMA-related security standards and guidance to promote the development of comprehensive and balanced information security programs by agencies.
OIG Reporting Metrics
OIGs are not expected to conduct their own full risk analysis but rather to evaluate how agencies are evaluating risk and prioritizing security issues. OIGs are encouraged to evaluate agency findings and compare them to existing agency priorities, administration priorities, and key FISMA metrics.
Our office assesses the information security programs of the Board and the CFPB in the following seven areas:
- risk management
- configuration management
- identity and access management
- security training
- information system continuous monitoring
- incident response
- contingency planning
We determine the maturity level for each area according to FISMA metrics. We then determine whether specific elements were in place for each program and report the data to OMB.
