Called the Federal Information Security Management Act (FISMA), this law focuses on the importance of data security as it relates to the economic and national security interests of the US. As such, FISMA stipulates that all government agencies, government contractors and organizations that exchange data directly with a government system must safeguard all of their information technology (IT) systems, including stored data, by developing, documenting and implementing an information security program.
In 2014, this law was amended to the Federal Information Security Modernization Act (FISMA 2014) to bolster the authority of the Department of Homeland Security (DHS) to administer, implement and provide technical assistance with policies for information security for non-national (civilian) security federal Executive Branch systems. FISMA 2014 also updated and clarified the oversight authority of the Office of Management and Budget (OMB) and its ability to eliminate inefficient and wasteful reporting of any organization under FISMA. It also sanctions DHS’ role in assisting OMB with this responsibility.
FISMA: Who It Affects and Why It’s Important
The purpose of FISMA is to protect government information, assets and operations against natural threats and criminal activity, whether from within the US or outside. Therefore, any US organization directly related to or doing business with the US government, including federal- and state-level government agencies and contractors, state government departments, military subcontractors and even data clearinghouses fall under FISMA regulations.
Failure to pass a FISMA inspection by DHS or OMB can result in unfavorable publicity for your organization and a cut to your IT budget, as well as significant administrative ramifications to your organization. However, failure to comply with FISMA, especially regarding breach-avoidance and proper data destruction, can have much grander and more catastrophic implications for you and your organization. Should any of your private, secured federal data be compromised and your organization was found to be non-compliant, there are severe civil and federal criminal consequences.
How to Comply with FISMA
C-suite executives like chief information officers, information security officers, senior agency officials and agency program officials are all responsible and held accountable for ensuring compliance of FISMA within their respective organizations.
As stated in FISMA, these federal or otherwise federally-affiliated organizations must develop, implement and accurately manage an information security program to safeguard the IT systems and any ensuing data collected, stored and transferred. This includes documentation of both the security systems and access granted to stored federal information.
The National Institute of Standards and Technology (NIST) outlines steps that these individuals should take to comply with FISMA:
- Track and categorize all information and media devices that must be protected.
- Set baseline security controls. Implement and document their use in the appropriate security system.
- Regularly refine these controls using a defined risk-assessment procedure as part of an annual review process.
- Authorize the IT system for processing within the selected group of authorized personnel and monitor the systems regularly.
Complying with FISMA also extends into data destruction and device disposal practices. Full data destruction requirements can be found under the Federal Information Processing Standards (FIPS) Publication 200: Minimum Security Requirements for Federal Information and Information Systems. According to FIPS, organizations under FISMA must: i) set and enforce policies for protecting all data and information systems, whether on paper or in digital format, ii) appoint authorized personnel for sole access of the IT systems and federal information, and iii) ensure complete and total destruction of both the data and the media in which it is stored upon reaching end-of-life.
When it comes to the disposal of this federally-protected private data, FIPS also states that the organization must develop and enforce a set of policies for how the data and media should be destroyed, and accurately document every data disposal event, most easily accomplished by using an audit-friendly media tracking system such as SEM’s iWitness. It’s recommended to purchase on-site data destruction machinery and limit access to the data and the data destruction machinery to a small group of authorized personnel.
Furthermore, when it comes to the data end-of-life cycle, the device in which the data is housed must also be destroyed via degaussing, incinerating, melting or pulverizing machinery so that neither device nor data can be read or otherwise reconstructed. And, you want to choose a vendor like SEM that has NIST- and NSA-approved data destruction machinery.