Basic requirements for FISMA compliance
The Federal Information Security Management Act (FISMA) is a United States federal law that mandates federal agencies to develop, document, and implement an information security and protection program.
The top FISMA requirements include:
- Maintaining an inventory of information systems.
- Categorizing information and information systems according to risk level.
- Maintaining a system security plan.
- Utilizing security controls.
- Conducting risk assessments.
- Certification and accreditation.
- Conducting continuous monitoring.
Following are the steps to become FISMA compliant:
- Categorize the information to be protected.
- Select minimum baseline controls.
- Refine controls using a risk assessment procedure.
- Document the controls in the system security plan.
- Implement security controls in appropriate information systems.
- Assess the effectiveness of the security controls once they have been implemented.
- Determine agency-level risk to the mission or business case.
- Authorize the information system for processing.
- Monitor the security controls on a continuous basis.