FISMA is one of the foundational cybersecurity documents in the U.S. government. Its passage in 2002 and subsequent update in 2014 have defined the security landscape for federal IT systems and associated contractors.
However, a one-two punch from Congress and the President has changed things again. With recent cyber threats causing major damage to public and private resources, an Executive Order from the Office of the President, coupled with updates implemented by Congress, has shaped, directly or indirectly, the implementation of FISMA.
What is FISMA?
The Federal Information Security Management Act (FISMA) was created as part of the E-Government Act of 2002 (and further updated by the Federal Information Security Modernization Act–also FISMA–in 2014) with the express purpose of modernizing federal systems and their inherent security. Congress recognized that entering the age of digital communication and record-keeping would require agencies and their partners to adhere to specific security requirements to protect sensitive data, secret or otherwise.
FISMA outlines a few specific and foundational practices that government agencies and contractors should follow for compliance. These include:
- Creating Inventories of Information Systems: All networks, hardware, software and data storage tools operated by an organization should be part of an ongoing inventory kept by an organization. The definition of “information systems” is broad, but defined in the National Institute of Standards and Technology (NIST) Special Publication 800-18.
- Categorizing IT Systems By Risk: Organizations should assess their inventoried systems based on overlapping categories of security requirements (based on data stored in the system), potential vulnerabilities and processes used to manage that information. These risk categories, or “impact levels,” are defined in the Federal Information Processing Standard (FIPS) 199.
- Implementing Security Controls: An organization must implement proper security controls following their inventory and risk assessments. These controls are derived from NIST SP 800-53 as a baseline, with some special cases outlined in additional NIST publications.
- Conducting Risk Assessments: Risk assessment, or measuring potential risk in a system based on security controls, potential vulnerabilities and compliance requirements, is used to validate the implementation of security controls derived from NIST 800-53 and FIPS 199.
- Performing Continuous Monitoring: Security is an ongoing practice, and organizations should never assume that systems are de facto secure. Organizations must monitor systems for security events and implement procedures to mitigate, eliminate and remediate these issues.
There are additional regulations governing IT systems in areas like government-partnered cloud platforms and defense supply chain contracting. Still, for the most part, federal IT regulations will call back to FISMA as their basis.
What Changed for FISMA in 2021?
The 2021 update dictated a few changes to the law, namely,
- The Director of the Office of Management and Budget (OMB) was directed to redefine the term “major incident” concerning cybersecurity events. This is meant to help refine what constitutes a security event in a way that is more in line with modern threats, especially in the wake of the SolarWinds hack, the Colonial Pipelines hack, and the sharp rise in state-sponsored cyberattacks against U.S. government and infrastructure systems.
- According to the language of the law, the OMB must include in this definition that a significant incident is “any incident the head of the agency determines is likely to have an impact on the national security, homeland security, or economic security of the United States.” This broad definition allows the government to respond to a wider range of threats, particularly those that, while not targeting government agencies specifically, are targeting national interests.
- The OMB, alongside the Director of the Cybersecurity and Infrastructure Security Agency (CISA), must create and implement risk-based models for budgeting resources towards cybersecurity alongside a CISA-appointed cyber advisor for every U.S. agency.
- Agencies and private organizations in critical U.S. industries suffering a major cybersecurity incident must report this breach within 72 hours of discovery. Agencies must report how the breach impacted them within 30 days of the incident.
These updates are intended to shore up some of the gaps in the law concerning the fast-moving and pervasive challenges facing administrators and security experts and create transparency between the government and the private sector.
What Is in Store for FISMA in 2022?
On December 6, 2021, the Deputy Director of Management for the Office of the President released a memo, “Fiscal Year 2021-2022 Guidance on Federal Information Security and Privacy Management Requirements.” This memo outlined several deadlines and reporting requirements for government agencies for the upcoming fiscal year.
Some of these requirements include the following line items:
- Zero Trust: Agencies must implement a minimum of select zero-trust architecture by the end of FY 2024, organized around the five ZTA pillars of Identity, Devices, Networks, Applications and Data. These organizations should deploy multifactor authentication (MFA), encrypt data across all critical systems and assets, implement continuous network and IT assets monitoring, and other important zero trust mechanisms.
- Reformed Auditing: The government will move from strict self-attestation from agencies to more standardized approaches and metrics. The government will also expect agencies to undergo regular penetration or red team testing.
- Risk: Federal assessments will also move from specific “checklists” of implemented compliance controls to risk-based assessments for comprehensive security management for a broader set of threats and vulnerabilities.
- Automation: The OMB will promote digital machine reporting and automated auditing systems to standardize assessments. This will reduce audit burdens and eliminate errors in reporting.
- The Playbook: Agencies will be directed to use the CISA standardized incident response playbook to plan response procedures for any breach. This also creates a standard grammar for agencies when coordinating security across agencies.
This memo also defines how CISA and the OMB will approach reporting and metrics and defines governing agencies involved in U.S. cybersecurity discussions.
The Upcoming Evolution of Cybersecurity in the U.S.
With the release of EO 14028, most individuals and organizations in the “know” of national cybersecurity and defense understood that changes were coming down the pipeline. As it stands, these changes seem to be as promised–streamlining security across government and private sector, implementing zero trust architecture and new reporting and auditing standards.
Like many changes in regulations, the main burden enterprises will face is updating their infrastructure and their auditing processes. With risk and automation becoming the norm, rather than the exception, it’s time for businesses to think about what it means to move from manual auditing to rapid, accurate audit automation.
Are You Ready to Automate Assessments and Prepare for New Cybersecurity Regulations?
Call Lazarus Alliance at 1-888-896-7580 or fill in this form.
[wpforms id=”137574″]