The Federal Information Security Management Act of 2002 (“FISMA“, 44 U.S.C. § 3541, et seq.) is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002 (Pub.L. 107–347, 116 Stat. 2899). The act recognized the importance of information security to the economic and national security interests of the United States.[1] The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. Wikipedia
The FISMA Act is a set of guidelines for selecting and specifying security controls for information systems that process, store, or transmit Federal information. The Act references that NIST publishes Special Publications as important updates that should be referred to.
NIST 800-53 is specifically pointed towards as a reference for how to select controls and what it is that you need to implement for your systems. NIST 800-53 expects the important element of risk assessment to determine which controls apply, to what degree they should be applied, and what areas specifically should be considered.
The FISMA Compliance Handbook is “the bible”.
FISMA Compliance Handbook
Laura A. Taylor
2nd Edition. ISBN: 978-0-12-405871-2
Chapter 1 – FISMA Compliance Overview, Pages 1-9
Chapter 2 – FISMA Trickles into the Private Sector, Pages 11-16
Chapter 3 – FISMA Compliance Methodologies, Pages 17-26
Chapter 4 – Understanding the FISMA Compliance Process, Pages 27-40
Chapter 5 – Establishing a FISMA Compliance Program, Pages 41-48
Chapter 6 – Getting Started on Your FISMA Project, Pages 49-55
Chapter 7 – Preparing the Hardware and Software Inventory, Pages 57-62
Chapter 8 – Categorizing Data Sensitivity, Pages 63-78
Chapter 9 – Addressing Security Awareness and Training, Pages 79-86
Chapter 10 – Addressing Rules of Behavior, Pages 87-94
Chapter 11 – Developing an Incident Response Plan, Pages 95-115
Chapter 12 – Conducting a Privacy Impact Assessment, Pages 117-128
Chapter 13 – Preparing the Business Impact Analysis, Pages 129-136
Chapter 14 – Developing the Contingency Plan, Pages 137-152
Chapter 15 – Developing a Configuration Management Plan, Pages 153-165
Chapter 16 – Preparing the System Security Plan, Pages 167-199
Chapter 17 – Performing the Business Risk Assessment, Pages 201-220
Chapter 18 – Getting Ready for Security Testing, Pages 221-229
Chapter 19 – Submitting the Security Package, Pages 231-237
Chapter 20 – Independent Assessor Audit Guide, Pages 239-273
Chapter 21 – Developing the Security Assessment Report, Pages 275-288
Chapter 22 – Addressing FISMA Findings, Pages 289-294
Chapter 23 – FedRAMP: FISMA for the Cloud, Pages 295-303
FISMA resources:
- FISMA: Fact and Fiction
- FISMA Implementation Project
- 2012 FISMA Reporting Metrics
- 2012 FISMA Report to Congress
- 2011 FISMA Report to Congress
- 2010 FISMA Report to Congress
- 2009 FISMA Report to Congress
- 2008 FISMA Report to Congress
- 2007 FISMA Report to Congress
- 2006 FISMA Report to Congress
- 2005 FISMA Report to Congress
- 2004 FISMA Report to Congress
- FISMA Reporting Template for CIOs
- FISMA Reporting Template for IGs
- FISMA Reporting Template for Micro Agencies
- FISMA Reporting Template for SAOPs
- FISMA Quarterly Reporting Template