There are two organizations with the same acronym FISMA. Make sure you know the major differences!
Federal Information Security Management Act (FISMA) of 2002
Federal Information Security and Modernization Act (FISMA) of 2014
Federal Information Security Management ACT of 2002
The Federal Information Security Management Act (FISMA) of 2002 is a United States legislation that defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats. This act requires all federal agencies, departments, and their contractors to adequately safeguard their information systems and assets. FISMA was signed as part of the Electronic Government Act of 2002 or E-Government Act of 2002.
This law was created “to enhance the management and promotion of electronic Government services and processes by establishing a Federal Chief Information Officer within the Office of Management and budget, and by establishing a broad framework of measures that require using Internet-based information technology to enhance citizen access to Government information and services, and for other purposes”.
- To support the operations and assets of a federal agency, and contractor or another source
- To provide for the development and maintenance of minimum controls necessary to protect federal information and information systems commensurate with the risk and magnitude of harm resulting from unauthorized access, use, or disclosure including annual reviews on the effectiveness of the information security and privacy programs
- Produce an accurate inventory of all information systems
Note: Applies to all federal information and information systems including data in all forms (paper, electronic, audio)
This Act is important in healthcare because of the expense with regards to meeting FISMA rules for enabling the secure exchange of health information to private sectors. FISMA is mandating regular security risk assessments, annual reviews, and security certifications/accreditation programs for contractors as well as providing an annual report of information security programs. A good example is the Center for Medicare and Medicaid where they about 200 contractors would be applicable to FISMA mandates. There would be millions of healthcare providers who would then request health records electronically. This would require increased in staff budget as well as incurring costs in updating computer technology.
Where does HIPAA stand with regards to FISMA of 2002?
FISMA has 171 information security controls that are mandated for federal agencies. In contrast, the U.S. healthcare industry must meet the Health Insurance Portability and Accountability Act (HIPAA), which has only 101 of the FISMA controls. There will be a definite gap from a more controlled system (FISMA) to a less secure HIPAA environment.
FISMA: created specifically for federal government computer systems
HIPAA and State Privacy Laws: created for the private sector
The Federal government gave the National Institute of Standards and Technology (NIST) the role to develop standards to be used by Federal agencies for categorizing information based on risk levels, create guidelines for the types of categories to be used, and the minimum information security requirements for the information and information systems in each category.
Federal Information Security and Modernization Act (FISMA) of 2014
The Federal Information Security and Modernization Act (FISMA) of 2014 is a federal law that provides security protections to information collected or maintained by or for a federal agency. FISMA codifies the Department of Homeland Security’s role in administering the implementation of information security policies for Federal Executive Branch civilian agencies, overseeing agencies’ compliance with those policies, and assisting OMB in developing the polices.
This act updates the Federal Government’s cybersecurity practices by:
Codifying Department of Homeland Security (DHS) authority to administer the implementation of information security policies for non-national security Federal Executive Branch systems, including providing technical assistance and deploying technologies to such systems;
Amending and clarifying the Office of Management and Budget’s (OMB) oversight authority over federal agency information security practices; and by
Requiring OMB to amend or revise OMB A-130 to “eliminate inefficient and wasteful reporting.
An overview of the Department of Homeland Security’s role in administering the implementation of information security policies for Federal Executive Branch civilian agencies, overseeing agencies’ compliance with those policies, and assisting OMB in developing the policies are:
Authorizes DHS to provide operational and technical assistance to other Federal Executive Branch civilian agencies at the agency’s request;
Places the federal information security incident center (a function fulfilled by US-CERT) within DHS by law;
Authorizes DHS technology deployments to other agencies’ networks (upon those agencies’ request);
Directs OMB to revise policies regarding notification of individuals affected by federal agency data breaches;
Requires agencies to report major information security incidents as well as data breaches to Congress, as they occur and annually and
Simplifies existing FISMA reporting to eliminate inefficient or wasteful reporting, while adding new reporting requirements for major information security incidents.
Homeland Security Act of 2002
The Homeland Security Act of 2002 became public law 107-296 on November 25, 2002. It was established to secure the United States from the many threats received or may encounter in the future. To date there are over 240,000 employees from aviation, border security, emergency response, cybersecurity analyst, to chemical facility inspector. The Department of Homeland Security has an expansive role and goals for protecting the nation.
The FISMA metrics leverage the Cybersecurity Framework as a standard for managing and reducing cybersecurity risks, and they are organized around the framework’s five functions: Identify, Protect, Detect, Respond, and Recover. The Cybersecurity Framework, when used in conjunction with NIST’s 800-37 Rev 1 Guide for Applying the Risk Management Framework to Federal Information Systems, 800-39, Managing Information Security Risk: Organization, Mission, and Information System View and associated standards and guidelines, provides agencies with a comprehensive structure for making more informed, risk-based decisions and managing cybersecurity risks across their enterprise.
The United States Computer Emergency Readiness Team (US-CERT) provides publications/documents to help us with everything from setting up your first computer to understanding the nuances of emerging threats such as:
- Banking securely online
- Introduction to information security
- Protecting aggregated data
- Risks of using portable devices
- Cyber threats to mobile phones