The Federal Information Security Management Act of 2002 (FISMA)

Enacted in 2002 as Title III of the E-Government Act of 2002 (Pub.L. 107-347, 116 Stat. 2899), FISMA mandates yearly audits to assure computer and network security within the Federal Government and affiliated parties (e.g., contractors). Within the Federal Agencies, FISMA is largely responsible for establishing best practices and regulatory methods, and the Office of Management and Budget (OMB), with input from the Department of Defense (DoD), NIST, and DHS, continually updates FISMA by circular and memorandum.

FISMA's mandatory processes apply to all IT systems used or operated by a Federal Government Agency or by a contractor or organization on behalf of an Agency. These processes must follow a combination of Federal Information Processing standards (FIPS) documents, the special publications SP-800 series issued by NIST, and other legislation pertinent to federal information systems, such as the Privacy Act of 1974 and the Health Insurance Portability and Accountability Act (HIPAA). Unfortunately, following these mandates only results in "compliance" and not "security," which is why many argue that FISMA will never assure that Federal IT systems are safe from those who wish to do them harm.

In response to the arguments that FISMA alone is not the solution to Federal IT security challenges, recent memos are increasingly mandating standard configurations for desktops and servers, as well as documented processes for certification and accreditation. Two important developments are the Security Configuration Automation Protocol (SCAP) and Federal Desktop Core Configurations (FDCC); taking required IT controls under FISMA to the next level. OMB is requiring that agencies implement both SCAP and FDCC by February 1, 2008.

Similar specifications and procedures are being developed for immediate implementation by the DoD for military IT acquisitions. Common configuration templates in this sector are often determined by Standard Technical Implementation Guides (STIGs) available for various platforms and configurations.

Every year, Agencies and DoD spend enormous amounts of time and money to deploy and re-certify, and IT measurement and controls are increasingly mandatory to enable these method in a systematic and cost-effective manner.

SignaCert can dramatically reduce the cost of re-certification, while putting in place IT quality controls and measurement that can help affirm IT operational excellence.

Read a recent blog on on Federal IT market issues, needs and developments.