Compliance
Government Sales
- Visa PCI Compliance
- NERC Compliance
- HITECH Act Compliance
- HIPAA Compliance
- Sarbanes-Oxley Compliance
- Basel II Compliance
- GLBA Compliance
- ISO 17799 Compliance
- FFIEC Compliance
- CA SB 1386 Compliance
- DCID 6/3 Compliance
- DoD 8100.2 Compliance
- FISMA Compliance
- NISPOM Compliance
Government Sales
Home > Compliance > FISMA Compliance
FISMA Compliance
What is FISMA?
The Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002. The act recognizes the importance of information security to the economic and national security interests of the United States.
Who is affected by FISMA?
FISMA assigns specific responsibilities to Federal agencies, the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) in order to strengthen information system security. In particular, FISMA requires the head of each agency to implement policies and procedures to cost-effectively reduce information technology security risks to an acceptable level.
Federal agencies, contractors, and any other company or organization that uses or operates an information system on behalf of a federal agency must comply with FISMA regulations. In other words, FISMA affects companies that do business with government agencies.
What are the requirements of FISMA?
The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
The FISMA compliance process for an information system involves eight steps, from determining the boundaries of the system, through implementing security controls and conducting risk assessments, to certification and accreditation of the system, and ending with continuous monitoring.
Title III of the act deals with the information security aspect of this process. It defines the critical information security objectives as:
- Integrity - "guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity";
- Confidentiality - "preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information"; and
- Availability - "ensuring timely and reliable access to and use of information"
FISMA explicitly emphasizes a risk-based and cost-effective approach to securing information and systems, to identifying and resolving current IT weaknesses and risks, and to protecting against future vulnerabilities and threats. An agency must understand its security posture and close the gaps.
Though scores vary from agency to agency, compliance has been a challenge overall. In both 2004 and 2005, federal agencies received an overall FISMA grade of D+ for IT security.
What are the penalties for FISMA non-compliance?
In contrast to other regulatory efforts, FISMA includes significant penalties for non-compliance. Congress publicly publishes an agency's compliance scorecard, and CIOs of low-performing agencies may be asked to explain before Congress why they scored poorly. Perhaps most importantly, FISMA has substantial monetary penalties associated with non-compliance.
FISMA explicitly emphasizes a risk-based and cost-effective approach to securing information and system, to identifying and resolving current IT weaknesses and risks, and to protecting against future vulnerabilities and threats. An agency must understand its security posture and close the gaps.
How does CipherOptics help with FISMA compliance?
CipherOptics' CipherEngine provides a comprehensive data protection solution that ensures the confidentiality, authenticity, and integrity of any data in motion, thereby mitigating the risk of data loss or theft.
The CipherEngine solution allows organizations to encrypt data across the network using a global policy and key manager along with hardware-accelerated encryption enforcement points. Our solutions offer best-of-breed performance, elegantly simple installation and management, and breakthrough scalability. CipherEngine gives you the power to protect data in motion wherever, however and whenever you want, without changes or disruptions to your network, your infrastructure, or your operations.
To see just how easy it can be to comply with the FISMA Act, call us at 1-877-878-6655 or feel free to ask us a question.
Learn More About:
Network Encryption
Ethernet Encryptors
IP Encryptors
Policy and Key Management
Helpful Resources
Full text of FISMA