Computer Information System and FISMA Compliance Report Analysis

Verified

Added on 2021/05/31

AI Summary

This report delves into the critical aspects of FISMA (Federal Information Security Modernization Act) compliance, a crucial regulation for federal data security. It outlines the project-oriented process for achieving FISMA compliance, as defined by NIST, encompassing system initiation, development, implementation, operation, and disposal. The report highlights the role of NIST in establishing security standards and guidelines, including publications like FIPS 200, NIST 800, and FIPS 199, with a focus on NIST SP 800-53, which provides a catalog of security controls. It explores the Risk Management Framework as a complementary approach and details the four phases of the certification and accreditation process: planning and initiation, certification, accreditation, and continuous monitoring. The report also discusses how organizations are migrating to NIST 800-53 and adapting their Risk Management Framework based on SP 800-37, which includes steps like assessing, selecting, implementing, and authorizing security controls. This analysis provides a comprehensive understanding of FISMA compliance and its practical application in securing federal information systems.

Running Head: COMPUTER INFROMATION SYSTEM 1
Computer information system
Name of the Student:
Institution Affiliations:

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

COMPUTER INFROMATION SYSTEM 2
FISMA compliance as required in the Modernization Act of 2014
FISMA compliance is achieved by following a project-oriented process. NIST explains this
process in six steps: system initiation, development and acquisition, implementation,
operation and maintenance and disposal
This can further be summarised in the diagram below
The number of controls/sub-controls in the compliance requirement
FISMA is a critical regulation requirement for federal data security guidelines and
standards. It was brought forth to help reduce the risk which the federal information data is
exposed to and also help to reduce the cost incurred on information security. To achieve the
objectives FISMA set some security standards and guidelines that all federal agencies had to
meet. However, FISMA also applies to private companies (Gantz & Philpott, 2013). The

COMPUTER INFROMATION SYSTEM 3
national Institutive of standards and technology plays an essential role in the implementation
of FISMA project which was launched in January 2003. Thus it came up with the
fundamental guidelines and security standards required by FISMA (Johnson, 2015). Some of
this publications include FIPS 200, NIST 800 and FIPS 199. NIST SP 800-53 gives a well-
explained catalog of some security controls which is necessary for FISMA compliance
(Gantz & Philpott, 2013). However, it is not necessarily that an agency needs to implement
all the controls that are critical to the organizations. Thus agencies need to select appropriate
controls to satisfy security requirement (Kott & Linkov, 2018). In the end, the said
organization is supposed to document the security controls they selected in their system
security plan. NIST 800-53 divides security controls into three categories custom, Hybrid,
and Common. Custom controls are those meant to be used by personal devices or application.
Hybrid controls are those that have a standard monitor and are typically customized
according to the requirements of a specific application or device. Common controls are those
that are often used in an organization.
Risk Management Framework
Another framework that may be used to complement and facilitate the meeting of
compliance regulation includes the Risk Management Framework. The specification and
selection of security controls are usually achieved as part of the organization security that is
categorized as the management of organizational risk (Bourne, 2014). The management of
organizational risk is an essential framework because it helps in selecting the best security
controls for a system.

COMPUTER INFROMATION SYSTEM 4
The authorization and accreditation process of FISMA
The national institute of standards and technology have come up with four phases for
certification and accreditation process which the federal government uses to ensure that
organizations comply with federal controls (Kott & Linkov, 2018). This process includes
Initiation and planning, certification, accreditation and continuous monitoring. Each stage has
some activities that must be acted upon before proceeding to the next activity.
 Planning and initiation
This happens to be the first stage in the certification and accreditation process. At this stage
information system security officer and the information system owner must decide that a
C&A is necessary (Patterson, Gingrich & Nazario-Negron, 2018). They also establish a
C&A team decide what resources are required, develop a project plan with milestones and
lastly they determine a formal classification necessary for the C&A team.
 Certification
In this certification stage, some independent auditors check on preliminary accreditation and
certification document and do an audit the said information system by use of a checklist to
make sure that controls which are based on NIST 800.53 have been put in place. This
independent audit is composed of testing, visual inspection, onsite interviews and
vulnerability scans.
 Accreditation

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

COMPUTER INFROMATION SYSTEM 5
In this stage, the body mandate for certification usually goes through the C&A document to
make sure that all the critical information has been provided in the package before deciding
on accreditation.
 Continuous Monitoring
Continuous monitoring is necessary to be alert in case of new threats and also to able to
maintain the systems compliant baseline. ISSO's usually makes use of the detection tools,
change management procedures and sys logs for monitoring and preventing any authorized
changes (Taylor, 2013). Through having a process that continuously checks the information
system, the ISSO can easily mark any configuration compromises or changes that can
negatively affect the system
Applying Risk management framework to federal information system through the FISMA
process
In recent times most of the in intelligent community organizations have migrated to
NIST 800-53 because their security controls have modified their Risk Management
framework according to the structure based on SP 800-37. The necessary framework steps
which are found in SP 800-37 include: assess security controls, select security controls,
monitor security state, implement security controls, authorize information system and
Categorize information system (Taylor, 2013). FISMA Implementation project phase two
came up with a NIST documentation that significantly supports the Risk management
framework.

COMPUTER INFROMATION SYSTEM 6
References
Taylor, L. P. (2013). FISMA compliance handbook. Waltham, MA: Syngress.
Gantz, S. D., & Philpott, D. R. (2013). FISMA and the risk management framework [recurso electrónico]: The
new practice of federal cybersecurity. Estados Unidos: Syngress.
Patterson, I., Patterson, I., Gingrich, N., Nazario-Negron, J., & National Institute of Standards and Technology
(U.S.). (2018). NIST technology transfer interactions: the Fiscal year 2010 through the fiscal year 2014.
Kott, A., & Linkov, I. (2018). The cyber resilience of systems and networks. Cham: Springer.
Bourne, K. C. (2014). Application administrators handbook: Installing, updating and troubleshooting software
Johnson, L. (2015). Security controls evaluation, testing, and assessment handbook.