The Federal Information Security Management Act (FISMA) of 2002 was put into place to implement a framework for the effectiveness of information security controls for Federal information systems, to provide oversight, and to provide for the development of minimum controls for securing Federal information systems. FISMA gave the National Institute of Standards and Technology (NIST) the authority to develop the standards and guidelines that are used for implementing and maintaining information security programs for risk management.
After twelve years, an amendment to FISMA has been signed into law: the Federal Information Security Modernization Act of 2014. This update provides several modifications to FISMA that modernize Federal security practices to current security concerns.
- Reasserts the authority of the Director of the Office of Management and Budget (OMB) with oversight, while authorizing the Secretary of the Department of Homeland Security (DHS) to administer the implementation of security policies and practices for Federal Information Systems. Gives the delegation of OMB’s authorities to the Director of National Intelligence (DNI) for systems operated by an element of the intelligence community.
- Requires agencies to notify Congress of major security incidents within seven days. OMB will be responsible for developing guidance on what constitutes a major incident.
- Places more responsibility on agencies looking at budgetary planning for security management, ensuring senior officials accomplish information security tasks, and that all personnel are responsible for complying with agency information security programs.
- Changes the reporting guidance focusing on threats, vulnerabilities, incidents, the compliance status of systems at the time of major incidents, and data on incidents involving personally identifiable information (PII).
- Calls for the revision of OMB Circular A-130 to eliminate inefficient or wasteful reporting.
- Provides for the use of automated tools in agencies’ information security programs, including periodic risk assessments, testing of security procedures, and detecting, reporting, and responding to security incidents.
This update strengthens the use of continuous network monitoring in maintaining a constant cycle of assessment
These changes will result in less overall reporting, less “check-the-box” style of approaches to compliance, more focus on the agencies for compliance, and reporting that is more focused on the issues of security incidents. This update strengthens the use of continuous network monitoring in maintaining a constant cycle of assessing the impact to information systems from both planned and unplanned changes.
Additional cybersecurity legislation proposals are forthcoming from President Obama to further build on the progress of the current Congress. As we look ahead to what these proposals on cybersecurity information sharing, combating cybercrime, and data breach reporting will mean, it is important to evaluate the status of current cybersecurity implementations against the new requirements of the recent FISMA update.
Tenable Network Security continues to provide a streamlined process for assessing vulnerabilities and discovering security issues in real-time, through the use of SecurityCenter Continuous View™, which provides the most comprehensive and integrated view of network health, and Nessus®, the global standard in detecting and assessing network data. For more information on how Tenable products support FISMA compliance, see our FISMA solutions page.