logging in or signing up FISMA aSGuest7375 Download Post to : URL : Related Presentations : Let's Connect Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Copy embed code: Embed: Flash iPad Dynamic Copy Does not support media & animations Automatically changes to Flash or non-Flash embed WordPress Embed Customize Embed URL: Copy Thumbnail: Copy The presentation is successfully added In Your Favorites. Views: 253 Category: Business & Fin.. License: All Rights Reserved Like it (0) Dislike it (0) Added: December 19, 2008 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Slide 1: Doug Wagoner www.dsainc.com FISMA Federal Information Security Management Act Overview FISMA Background : FISMA Background Federal Information Security Management Act – Rep. Tom Davis is the champion Replaced GISRA signed in October 2000 Title III of the Electronic Government Act of 2002 Applies to Federal Agencies, including government contractors Purpose is to secure Information Infrastructure used in all of the Federal Agencies FISMA Requirements : Plan for security Ensure that appropriate officials are assigned security responsibility Review periodically the security controls in their information systems Annual security reporting to Office of Management and Budget Security awareness training Follow guidelines issued by NIST for information security controls FISMA Requirements FISMA Requirements : Report to Congress provides: A summary of government-wide performance in the area of information technology security management An analysis of government-wide weaknesses in information technology security practices, and, A plan of action to improve information technology security performance Report to Congress includes: Certification and accreditation of systems Security costs Annual testing of system controls Contingency planning Implementation of security configuration requirement FISMA Requirements FISMA Management : FISMA Management IS Program Management(Strategic) Information Security Operations Policy & Compliance Mgmt System Integration, Configuration, & Lifecycle Mgmt Vulnerability, Certification & Accreditation Mgmt FISMA Implementation : Most CIO’s place responsibility for compliance to the CISO Decentralized departments having most problems IG’s review FISMA process and reporting Reports sent to OMB by the end of each FY Reporting standards governed by OMB-130 and NIST Special Publications 800-26 with changes including 800-53 FISMA Implementation NIST View Of FISMA : AGENCY INFORMATION AND INFORMATION SYSTEM Security Authorization (Accreditation) Verification of Security Control Effectiveness Categorization of Information and Information System Defines categories of information and information systems according to levels of risk for confidentiality, integrity, and availability; maps information types to security categories Measures the effectiveness of the security controls associated with information systems through security testing and evaluation SP 800-37 SP 800-53A FIPS 199 SP 800-60 The authorization of information systems to process, store, or transmit information, granted by a senior agency official, based on the effectiveness of security controls and residual risk Security Control Selection and Implementation Risk Assessment Security Planning Management, operational, and technical controls (i.e., safeguards and countermeasures) planned or in place to protect information and information systems Documents the security requirements and security controls planned or in place for the protection of information and information systems Analyzes the threats to and vulnerabilities of IT and the potential impact of harm that the loss of confidentiality, integrity, or availability would have on an agency SP 800-53 SP 800-18 SP 800-30 SP 800-37 NIST View Of FISMA Grades Getting a Little Better : Grades Getting a Little Better Slide 9: $4.2B in FY04 Information Security Over 7% of IT budget Fastest growing part of IT budget at 12% according to INPUT However… Cost of non-compliance is inferior security of systems, national security and taxpayer data Congress can assess budget cuts for non-compliance Department Pride FISMA Costs FISMA Resources : FISMA Resources Office of Management and Budget. "Security of Federal Automated Information Resources." Appendix III, OMB Circular No. A-130, http://www.whitehouse.gov/omb/circulars/a130/a130trans4.html NIST - FISMA Implementation Projects http://csrc.nist.gov/sec-cert/ GAO - Management Planning Guide for Information Systems Security Auditing http://www.gao.gov/ You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.