Follow FISMA Fundamentals to Improve Compliance

May 14, 2012 — 1,125 views  
Become a Bronze Member for monthly eNewsletter, articles, and white papers.

The Federal Information Security Management Act (FISMA) was created to protect the United States' critical information infrastructure. Government agencies and government contractors can reduce information technology security risk if they understand the act's fundamentals.

Take the time to review the information below to gain a better understanding of the guidelines surrounding FISMA.

Categorize by mission impact
Establishing cost-effective, risk-based information security is much easier than it seems for most institutions. Organizing information and information systems by mission impact enhances the efficiency of a government agency or contractor.

Using a categorization system allows you to sort information by importance and relevance. A mission that affects a large number of people will take higher priority than a task that involves only a few. Take additional time to ensure the security of information and information systems based on impact.

Select minimum baseline controls
Who should have access to information and information systems? This is a question government agencies and government contractors must consider when they review their security risks.

Be sure to set up criteria to establish minimum baseline controls. Determining who requires access to various systems to complete daily tasks protects those who work with the federal government.

Additionally, a risk assessment plan might prove valuable after the minimum controls have been created. This allows you to refine controls based on their effectiveness, and gives you the opportunity to tailor them specifically to your government agency or government contracting firm.

Document the controls
Keeping accurate records is a staple of any business, so be sure to document the controls you use in a system security plan. This enables others who have obtained security access to control and manage information safety.

Once the documentation is complete, you're ready to implement the controls into appropriate information systems. Assessment and evaluations should be ongoing, and can start after you begin using the controls.

Determine risks
So you've created your controls and have instituted your information security system - now it's time to follow-up on possible risks. You should determine agency-level risk to the mission or business situation by looking at how this information could affect your organization. Study what types of risks the information could pose if it were to fall into the wrong hands to effectively handle this step.

Doing so allows you to authorize the information system for processing. Although security controls will require continuous monitoring, you may use this system as a template for your government agency or government contracting firm to alter as necessary over time.