About | HeinOnline Law Journal Library | HeinOnline Law Journal Library | HeinOnline
LOG IN
LOG IN

1 [1] (November 24, 2014)

handle is hein.crs/crsmthaaayk0001 and id is 1 raw text is: CRS Insights Cybersecurity: FISMA Reform Eric A. Fischer, Senior Specialist in Science and Technology (efischer2Cr5.,oc~aov, 7-7071) Noeme 24, 2014 (I116 Two bills to revise the Federal Information Security Management Act (FISMA, 44 U.S.C. Chapter 35, Subchapter III) are being considered in the 113th Congress. HR. 11a passed the House in April 2013, and S. 2521 was reported to the Senate in September 2014. Current FISMA Requirements Enacted in 2002, FISMA created a security framework for federal information systems. It emphasizes risk management and gives specific responsibilities to the Office of Management and Budget (OMB), the National Institute of Standards and Technology (NIST), and individual federal agencies. FISMA gives OMB responsibility for overseeing federal information-security policy, evaluating agency information-security programs, and promulgating cybersecuriysandards develd b IST. It requires executive agencies to inventory major computer systems, identify and provide appropriate security protections, and develop, document, and implement agency-wide information-security programs. Agencies must provide security protections commensurate with risk and comply with applicable security standards. They must perform risk assessments, determine and implement necessary security controls in a cost-effective manner, and evaluate those controls periodically. Each agency must designate an information-security officer, with responsibilities including agency-wide information-security programs, policies, and procedures, training of security and other personnel, processes for remedial action to address deficiencies, and procedures for handling security incidents and ensuring continuity of operations. Agencies must also develop performance plans, effect independent annual evaluations of their cybersecurity programs and practices, and provide annual reports on compliance and effectiveness to Congress. FISMA security requirements also apply to contractors who run information systems on behalf of an agency. The act exempts national security systems (NSS) from its requirements, except with respect to enforcement of accountability by agencies for meeting requirements, and reporting to Congress. NSS fall under the jurisdiction of the interagency Committee on National Security Svstems (CNSS). However, FISMA requires that CNSS and FISMA standards be complementary to the extent feasible. It also gives responsibility for protection of mission-crucial systems in DOD and the CIA to the Secretary of Defense and the CIA Director, respectively. The law also established a central federal incident center, overseen by OMB, to analyze incidents and provide technical assistance relating to them, to inform agency operators about current and potential threats and vulnerabilities, and to consult with NIST, NSA, and other appropriate agencies about incidents. Issues and Concerns A commonly expressed concern about FISMA is that it is awkward and inefficient in providing adequate cybersecurity to government IT systems. The causes cited have varied but themes have included inadequate resources, a focus on procedure and reporting rather than operational security, lack of widely accepted cybersecurity metrics, variations in agency interpretation of the mandates in the act, excessive focus on individual information systems as opposed to the agency's overall information architecture, and insufficient means to enforce compliance both within and across agencies. Weaknesses in FISMA implementation have beenCite dL yAQ. In 2010, OMB attempted to address some of the operational issues administratively by delegating some oerational reSponi t Dpnartment of Homeland ecuiritv (DHSV.

What Is HeinOnline?

HeinOnline is a subscription-based resource containing thousands of academic and legal journals from inception; complete coverage of government documents such as U.S. Statutes at Large, U.S. Code, Federal Register, Code of Federal Regulations, U.S. Reports, and much more. Documents are image-based, fully searchable PDFs with the authority of print combined with the accessibility of a user-friendly and powerful database. For more information, request a quote or trial for your organization below.



Short-term subscription options include 24 hours, 48 hours, or 1 week to HeinOnline.

Purchase Access

Already a HeinOnline Subscriber?

Log In

profiles profiles most