With electronic systems emerging as the primary locus of information storage and communication, the corresponding risks have sky-rocketed. According to FBI reports, financial losses from cybercrime and online scams in the U.S. more than doubled in 2009 as compared to 2008. Total losses amounted to $559 million, with a 22% increase in complaint submissions recorded by the Internet Crime Complaint Center (IC3). Alarmingly, in 16% of the cases, scammers had duped their targets by pretending to be affiliated with the FBI.
Clearly, cybercrime is becoming a rampant and complex problem. Criminals are now employing increasingly sophisticated technology to hack into information databases. Not even federal information is safe. And that is where the greatest risk lies.
In the aftermath of 9/11 and subsequent terror attacks across the world, the protection of federal information has become a key government priority. It is especially crucial when one considers the amount of data that the government is responsible for - Social Security Records, defense secrets, insurance information, tax records and health information of millions of people. All this data is subject to a complex web of computers, software, hardware and personnel across local and national boundaries. Without adequate information security, people's safety can be at risk, not to mention their confidence in the government.
Yet, security breaches do occur. Take the instance of the Pentagon hack in 2006; or the attack on the Federal Aviations Administration systems in 2009 where employee personal information was stolen; or the complex tax fraud conspiracy uncovered in 2010 where attempts were by made by a hacker to bilk the government out of millions of dollars. Dangerous antagonists continue to launch wide-scale attacks on federal systems, thereby inflicting irreparable damage. One just needs to scan The Chronology of Data Breaches to observe that almost every other day, a new information security breach is recorded.
As a result of these threats, the U.S. government felt it imperative to implement controls that regulate information security. Thus, in 2002, the Federal Information Security Management Act (FISMA) was passed.
FISMA recognizes that protecting federal information is central to the economic and national security interests of the nation. Against the complex web of the federal computing environment, FISMA provides agency-wide internal controls for information security and risk management. It requires federal agencies to develop, document and implement an information security program not just for their own operations and assets but for those provided or managed by another agency, contractor or source.
The development and management of FISMA is controlled by two federal agencies - the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB). NIST publishes two types of documents - the Federal Information Processing Standards (FIPS) and the Special Publications - both of which help federal agencies achieve FISMA compliance.
FISMA requires agencies to develop an agency-wide security program, adhere to the security standards developed by NIST, and continuously review the effectiveness of their security programs.
Mandatory compliance with FISMA extends to large agencies such as the Department for Homeland Security and the Department of Justice, all foundations, educational institutions and organizations receiving federal funds, as well as contractors who store, process or transmit federally owned data.
Failure to comply with FISMA can lead to a number of repercussions. For one, confidential data is put at the risk of hacker attacks which, in turn, can cause immense financial losses to the government. To avoid this scenario, each federal agency receives an annual grade for its FISMA compliance programs. These grades are made public on at least one federal Web site. A high grade indicates that the agency's systems are secure and data is safe. A low grade indicates that the agency's systems are vulnerable to cyber attack. It can also severely impact an agency's reputation and threaten the jobs of those responsible for information security. More importantly, it can lead to the OMB delaying or denying funding for subsequent agency programs. Sometimes, a low-grade agency's top executives have to testify before Congress, explaining the reasons for their poor scores. Non-compliance is therefore a costly affair.
Executing FISMA compliance
The objectives of agencies complying with FISMA's requirements are two-fold - to build and maintain an information security program, and to submit annual compliance reports. To achieve these objectives, organizations must:
The process of selecting the appropriate security controls is a multifaceted, risk-based activity involving management and operational personnel within the organization.
With its attention to detail, FISMA is no doubt a valuable tool to federal agencies and the government. As a central repository of regulatory information, it is extremely vital. However, it is not without its own share of challenges.
Complying with FISMA can be a drain on agency finances, time, personnel and other resources. It is not easy to create a sustainable compliance process that operates efficiently year after year, neither is it feasible to produce compliance reports on a regular basis. Understanding and filtering out the specific compliance requirements of each agency is a further hindrance.
Instead of losing sleep over the complexities of FISMA compliance, agencies can turn towards a comprehensive compliance solutions provider. Through a range of applications and software, such a provider can design, assess and improve security controls under the FISMA framework. The result is increased security, compliance and confidence.