Impact of FISMA upon the Quantification within the Government

Introduction

The 107th Congress in December 2002 passed the Federal Information Security Management Act (FISMA) to cover the aspect of information security to the national and economic security interests in America (Conklin, 2007). FISMA (2016) provides that cybersecurity focuses on three areas: critical infrastructure, federal agencies, and “everything else.” In 2016, the rate of cybersecurity in America was high and the majority of Americans experienced threats that their data was exposed to varying email and media services. In the same year, approximately 30,899 cybersecurity incidents were reported that compromised system functionality or information. It has led several policies to be formulated to strengthen the aspect of cybersecurity.

Objectives of Policy Makers

Several agencies or policymakers are in charge of cybersecurity in the United States. According to the Act, the heads of every agency as well as program officials should conduct reviews every year on information security programs, to maintain risks at the lowest level possible with the least possible cost. One of the objectives to attain these thresholds is using the best information systems to control security. Second, they require assessing security by defining controls and identifying and applying the minimum controls. The control requires documentation in the security plan of the system. The policymakers assess and identify the risk at the agency level and formulate controls specific for that agency (Conklin, 2007). 

Challenges Facing Cybersecurity Objectives and Solutions

FISMA challenges are based on the aspect that it is more on compliance rather than on security (CSRC, 2019). The challenge is based on the measuring metric used by the system. Rather than improving the actual security, FISMA is like a letter that agencies require to follow for legal purposes. It thus fails to solve the core issue of information systems. Secondly, the government blames the users for security issues without dealing with the core problem

Rather than blaming the users, the government should rather deal with vendors to import well-designed goods with the best configurations. Several companies receive fails and poor metrics in their compliance forms. However, this can be solved by introducing ‘attack-based’ metrics to measure security compliance. The metric may include exploring where the IT or teams collect errors in code; after employees leave a company, how many accounts remain active; duration taken in the deployment of security patches, and the speed at which system penetrations take, and the time it takes to identify malicious code in a system. 

Effectiveness of FISMA in the Workplace

For a business that complies with FISMA, they need to build and maintain an information security program as well as submitting FISMA reports every year. However, the process to attain the best security control is risks and requires the operational and management personnel to implement and manage an inventory for information systems (MetricStream Inc., 2019). This should be followed by a categorical and standardized method of information systems following the risks associated. Then, they formulate security controls by following the NIST 800-53 publication which will help the business identify the most cost-effective methodology for the organization. The vulnerabilities and potential risks are assessed and mapped to the security controls which aid the managers to determine their risk providing the best strategy of whether to accept or mitigate the risk. Lastly, there is a need for a periodical strategy to monitor and audit the system which will identify the effectiveness of the systems and the corrective actions.

References

Conklin, W. A. (2007, January). Barriers to Adoption of e-Government. In 2007 40th Annual Hawaii International Conference on System Sciences (HICSS’07) (pp. 98-98). IEEE.

CSRC. (2019). Risk Management: FISMA Background. COMPUTER SECURITY RESOURCE CENTER.

FISMA. (2016). Federal Information Security Modernization Act of 2014. FISMA FY 2016 Annual Report To Congress.

MetricStream Inc. (2019). Frequent Threats to Federal Information Security Necessitate FISMA Compliance. Retrieved 22 August 2019, from https://www.metricstream.com/insights/fisma_act_compliance_necessity.htm