Quest Software - www.quest.com Search Community
Advanced Search
Welcome, Guest
Login Login / Register
Help
NEW? Get Plugged In
Community Index
Home
Browse the Library
FAQ
Join a Discussion Forum
Reporter
InTrust Plug-in for Active Directory
InTrust
Quest Knowledge Portal
Intrust Plug-in for Exchange
Intrust Plug-in for File Access
Compliance Report Packs
Regulatory Requirements
General Discussion
Regulatory Requirements
SOX
HIPAA
FISMA
PCI
JSOX
Industry Events
Product Information
Quest Knowledge Portal
Compliance Suite for Windows
Reporter
InTrust Plug-in for Active Directory
InTrust
InTrust Plug-in for Exchange
InTrust Plug-in for File Access
Related Communities
Vintela
ActiveRoles
Refer a Friend

Federal Information Security Management Act

The Federal Information Security Management Act of 2002 (FISMA) is the ?Short Title? given to the Subchapter III ?Information Security? amendments that were made in 2002 to Chapter 35 of title 44 (as well as to sections 11331 and 11332 of title 40) of the United States Code. They apply to the information systems of all U.S. federal agencies, contractors, and representatives that make up the ?national security system? and are intended to protect these systems from modern-day information security threats.

To achieve compliance, FISMA mandates that heads of each agency adopt the National Institute of Technology (NIST) Risk Management Framework which is intended to be implemented within the context of the system development life cycle standards and the Federal Enterprise Architecture standards.

NIST summarizes their framework using the following steps:

Step 1:  Categorize the information system and the information resident within that system based on impact. FIPS 199 and NIST SP 800-60  

Step 2:  Select an initial set of security controls for the information system based on the FIPS 199 security categorization and apply tailoring guidance as appropriate, to obtain a starting point for required controls. FIPS 200 and NIST SP 800-53  

Step 3:  Supplement the initial set of tailored security controls based on an assessment of risk and local conditions including organization-specific security requirements, specific threat information, cost-benefit analyses, or special circumstances. NIST SP 800-53 and SP 800-30  

Step 4:  Document the agreed-upon set of security controls in the system security plan including the organization's justification for any refinements or adjustments to the initial set of controls. NIST SP 800-18  

Step 5:  Implement the security controls in the information system. See appropriate NIST publication: http://csrc.nist.gov/publications/  

Step 6:  Assess the security controls using appropriate methods and procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. NIST SP 800-53A  

Step 7:  Authorize information system operation based upon a determination of the risk to organizational operations, organizational assets, or to individuals resulting from the operation of the information system and the decision that this risk is acceptable. NIST SP 800-37  

Step 8:  Monitor and assess selected security controls in the information system on a continuous basis including documenting changes to the system, conducting security impact analyses of the associated changes, and reporting the security status of the system to appropriate organizational officials on a regular basis. NIST SP 800-37 and SP 800-53A

Do you need to find a solution to your FISMA requirements?  Do you have a comment or a suggestion for others facing FISMA compliance and using Quest products? Or have you found something that works especially well? Please let us know!  

We look forward to all your questions, comments and suggestions!