Cyber Security, Education, Tip of the Week

Did You Know?

Did you know FISMA

There are two organizations with the same acronym FISMA. Make sure you know the major differences!

  1. Federal Information Security Management Act (FISMA) of 2002

  2. Federal Information Security and Modernization Act (FISMA) of 2014

Federal Information Security Management ACT of 2002

The Federal Information Security Management Act (FISMA) of 2002 is a United States legislation that defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats. This act requires all federal agencies, departments, and their contractors to adequately safeguard their information systems and assets. FISMA was signed as part of the Electronic Government Act of 2002 or E-Government Act of 2002.

E-Government Act of 2002 or Public Law 107-347

This law was created “to enhance the management and promotion of electronic Government services and processes by establishing a Federal Chief Information Officer within the Office of Management and budget, and by establishing a broad framework of measures that require using Internet-based information technology to enhance citizen access to Government information and services, and for other purposes”.

FISMA Objectives:

  • To support the operations and assets of a federal agency, and contractor or another source
  • To provide for the development and maintenance of minimum controls necessary to protect federal information and information systems commensurate with the risk and magnitude of harm resulting from unauthorized access, use, or disclosure including annual reviews on the effectiveness of the information security and privacy programs
  • Produce an accurate inventory of all information systems

Note: Applies to all federal information and information systems including data in all forms (paper, electronic, audio)

This Act is important in healthcare because of the expense with regards to meeting FISMA rules for enabling the secure exchange of health information to private sectors. FISMA is mandating regular security risk assessments, annual reviews, and security certifications/accreditation programs for contractors as well as providing an annual report of information security programs. A good example is the Center for Medicare and Medicaid where they about 200 contractors would be applicable to FISMA mandates. There would be millions of healthcare providers who would then request health records electronically. This would require increased in staff budget as well as incurring costs in updating computer technology.

Where does HIPAA stand with regards to FISMA of 2002?

FISMA has 171 information security controls that are mandated for federal agencies. In contrast, the U.S. healthcare industry must meet the Health Insurance Portability and Accountability Act (HIPAA), which has only 101 of the FISMA controls. There will be a definite gap from a more controlled system (FISMA) to a less secure HIPAA environment.

FISMA: created specifically for federal government computer systems

HIPAA and State Privacy Laws: created for the private sector

The Federal government gave the National Institute of Standards and Technology (NIST) the role to develop standards to be used by Federal agencies for categorizing information based on risk levels, create guidelines for the types of categories to be used, and the minimum information security requirements for the information and information systems in each category.

Federal Information Security and Modernization Act (FISMA) of 2014

The Federal Information Security and Modernization Act (FISMA) of 2014 is a federal law that provides security protections to information collected or maintained by or for a federal agency. FISMA codifies the Department of Homeland Security’s role in administering the implementation of information security policies for Federal Executive Branch civilian agencies, overseeing agencies’ compliance with those policies, and assisting OMB in developing the polices.

This act updates the Federal Government’s cybersecurity practices by:

Codifying Department of Homeland Security (DHS) authority to administer the implementation of information security policies for non-national security Federal Executive Branch systems, including providing technical assistance and deploying technologies to such systems; 

Amending and clarifying the Office of Management and Budget’s (OMB) oversight authority over federal agency information security practices; and by

Requiring OMB to amend or revise OMB A-130 to “eliminate inefficient and wasteful reporting.

An overview of the Department of Homeland Security’s role in administering the implementation of information security policies for Federal Executive Branch civilian agencies, overseeing agencies’ compliance with those policies, and assisting OMB in developing the policies are:

Authorizes DHS to provide operational and technical assistance to other Federal Executive Branch civilian agencies at the agency’s request;

Places the federal information security incident center (a function fulfilled by US-CERT) within DHS by law;

Authorizes DHS technology deployments to other agencies’ networks (upon those agencies’ request);

Directs OMB to revise policies regarding notification of individuals affected by federal agency data breaches;

Requires agencies to report major information security incidents as well as data breaches to Congress, as they occur and annually and

Simplifies existing FISMA reporting to eliminate inefficient or wasteful reporting, while adding new reporting requirements for major information security incidents. 

 Homeland Security Act of 2002

The Homeland Security Act of 2002 became public law 107-296 on November 25, 2002. It was established to secure the United States from the many threats received or may encounter in the future. To date there are over 240,000 employees from aviation, border security, emergency response, cybersecurity analyst, to chemical facility inspector. The Department of Homeland Security has an expansive role and goals for protecting the nation.

The FISMA metrics leverage the Cybersecurity Framework as a standard for managing and reducing cybersecurity risks, and they are organized around the framework’s five functions: Identify, Protect, Detect, Respond, and Recover. The Cybersecurity Framework, when used in conjunction with NIST’s 800-37 Rev 1 Guide for Applying the Risk Management Framework to Federal Information Systems, 800-39, Managing Information Security Risk: Organization, Mission, and Information System View and associated standards and guidelines, provides agencies with a comprehensive structure for making more informed, risk-based decisions and managing cybersecurity risks across their enterprise.

The United States Computer Emergency Readiness Team (US-CERT) provides publications/documents to help us with everything from setting up your first computer to understanding the nuances of emerging threats such as:

  • Banking securely online
  • Introduction to information security
  • Protecting aggregated data
  • Risks of using portable devices
  • Cyber threats to mobile phones
Cyber Security, Tip of the Week, Trends & Technology

Privacy Don’t Take it for Granted

Just imagined this scenario happening to you:

“Unplug your Alexa devices right now,” a voice on the other line said. “You’re being hacked.” Apparently, one of’s Alexa-powered Echo devices in their house had silently sent recordings to the caller without the family’s permission, according to KIRO 7, a news station covering Seattle and western Washington state that first reported the story. The person, an employee of the husband, was in the family’s contact list. “My husband and I would joke and say, ‘I’d bet these devices are listening to what we’re saying,’ ” a woman who identified herself only by her first name, Danielle, told KIRO. She added that the device did not tell her that it would be sending the recorded conversations. by Hamza Shaban of the Washington Post.”

See Video

Amazon Echo is a type of smart speakers developed by Echo connects to the voice-controlled intelligent personal assistant referred to as Alexa.

It is ideally a device for convenience:

  • Voice interaction
  • Make calls
  • Music playback
  • Making to do lists
  • Setting alarms
  • Streaming podcasts
  • Playing audiobooks
  • Providing weather
  • Traffic
  • Many more real time information

See VideoBy Gary horcher of KIRO7

Solutions to increase your privacy at home or work

  • Best solution is to unplug the device
  • Be aware of your device’s capabilities
  • Minimize any future damages by: disabling the microphone prior to having a private conversation
  • Our technicians would use inexpensive black electrical tape to put over lap top’s camera or using a webcam slide cover
  • If you are using a home security device with a camera, turn it around so it is facing the wall instead and just return it to the appropriate position when leaving home or work (see Home security camera systems vulnerabilities)
  • More importantly if you have the Echo speaker, do not set it up to make calls
  • Google has calling capabilities similar to the Echo by setting up calls in the Google Home smartphone app
  • Do not use the “wake word” for Alexa
  • Consider using a different wake word – in Alexa’s case, it is Alexa, Echo, Amazon, or Computer

Just be aware that with technology such as devices with cameras, speakers, recorders, and real time interactions comes the issue of losing privacy. A good example is a city installing hundreds of surveillance cameras for the community to have a feeling of security. The community will have virtual block watch allowing anyone with an email address and internet connection to watch whatever activities the cameras capture.