What is the Federal Information Security Management Act (FISMA)?
The Federal Information Security Management Act of 2002 (FISMA) assigns certain responsibilities to U.S. government agencies to ensure the confidentiality, integrity, and availability of federal government data. The act requires program officials to conduct annual reviews of information security programs. However, as of September 2012, the Office of Management and Budget (OMB) requires monthly data feeds to be sent to its CyberScope application portal.
Several publications from the National Institute of Standards and Technology (NIST) provide guidance on FISMA compliance, including the use of Security Content Automation Protocol (SCAP)-compliant VM solutions to facilitate FISMA reporting. The following four publications are particularly relevant to VM and continuous network monitoring solutions:
- NIST 800-37: Guide for Applying the Risk Management Framework to Federal Information Systems
- NIST 800-53: Recommended Security Controls for Federal Information Systems and Organizations<
- NIST 800-128: Guide for Security-Focused Configuration Management of Information Systems
- NIST 800-137: Information Security Continuous Monitoring for Federal Information Systems