In December 2002 the US Congress passed the Federal Information Security Management Act (FISMA). FISMA requires each government agency to implement policies, procedures, and documentation for information security. This includes internal and external government-run systems, and systems provided by third-party providers.
A flourishing information security practices industry has developed in FISMA’s wake to help guide the government and vendors through the numerous, byzantine certification activities.
The FISMA mission statement is to:
Protect the Nation’s Critical Information Infrastructure
FISMA has three assessment levels and risk profiles.
- Low – Procedures to manage public-facing government websites, such as data.gov
- Moderate – Best practices for managing sensitive data and personal identifiable information such as credit card numbers, social security numbers, etc.
- High – Strict policies for managing military, intelligence and classified information.
The majority of internal applications require FISMA Moderate. The moderate certification process is the focus of this series.
The moderate risk profile means addressing over three hundred controls ranging from information handling, physical media management and threat assessments. The hundreds of controls are categorized into the following “control families”:
- Access Control
- Awareness and Training
- Audit and Accountability
- Security Assessment and Authorization
- Configuration Management
- Contingency Planning
- Identification & Authentication
- Incident Response
- Personnel Security
- Risk Assessment
- System and Communication Protection
- System and Information Integrity
Many start-ups address the above in various levels of completeness, but may not necessarily have all the supporting documentation to prove compliance. For SaaS systems operating in a cloud environment, the challenge is to describe the control boundaries between the cloud provider and the application layer. For example FISMA requires a policy for physical media disposal. The app layer (i.e. the cloud customer) doesn’t have access to physical media in a cloud environment, so that control is the responsibility of the cloud provider and the app layer inherits the control. Conversely, the cloud infrastructure has no control over the app layer, and the FISMA requirement to support two-factor web-app authentication is the responsibility of the app layer, not the cloud provider.
FISMA wasn’t designed for a world with cloud computing. It’s heritage back to 2002 is a world with hardware-centric design principles and best practices. Sonian and others are pioneering FISMA Moderate certification in a cloud environment.
Topics I will cover in upcoming issues of the FISMA Chronicles:
- The impact cloud computing has on FISMA
- How “agile” start-ups manage ongoing FISMA compliance requirements
- FEDRamp is the next step to consistent FISMA-like accreditation
Image Credit: fismacenter.com