The Federal Information Security Management Act (FISMA) is a law defining a structure in which federal agencies are assigned responsibilities in regard to information security with the protection of US economics and national security in mind. FISMA establishes regulations and policy that protect the nation and its critical infrastructures from natural, manmade, and terrorist attacks. The regulations and policies are to be adhered to and implemented by different federal agencies, the National Institute of Standards and Technology (NIST), and the Office of Management and Budget (OMB) (FISMA 2014).
Concerns and problems regarding documents which attempt to govern Cybersecurity include whether or not there are adequate resources to mitigate threats. Problems involve the roles of the OMBA and DHS and which has authority over what. This has led to the need for revisions to agency responsibilities. As such, in 2010 the OMB reassigned and designated certain responsibilities to the Department of Homeland Security (DHS) (Orszag, P.R. & Schmidt, H.A.. 2010). Sharing cybersecurity information between agencies is also a challenge. These responsibilities included overseeing government-wide and agency specific implementation and reporting, including agencies’ annual compliance and reports (Fisher. 2014).
With cybersecurity threats continuing to evolve improvements to FISMA have needed to come about. In 2014 the OMB released, for the first time, an annual guidance regarding security improvements in accordance with FISMA (Donovan. 2014). The OMB guidance includes new processes for the DHS to conduct when monitoring Federal civilian agency networks and identifying potential threats. The DHS published the “FY 2015 Chief Information Officer (CIO) Annual Federal Information Security Management Act (FISMA) Metrics, which aims to not only improve processes but assess their effectiveness (FISMA 2014). The DHS also tackled cleaning up how agencies report incidents and provided guidelines on improving threat response with its publication of “Updated U.S. Computer Emergency Readiness (US-CERT) Incident Notification Guidelines (Federal Incident Reporting Guidelines. 2014).
Donovan, S. (2014, October 3). Memorandum For Heads of Executive Departments and Agencies [Letter]. Https://www.whitehouse.gov/sites/default/files/omb/memoranda/2015/m-15-01.pdf.
Federal Incident Reporting Guidelines. (2014). Retrieved from https://www.us-cert.gov/government-users/reporting-requirements
Federal Information Security Modernization Act (FISMA). (2016, August 23). Retrieved from https://www.dhs.gov/fisma
Fisher, E. A. (2014, November 24). Cybersecurity: FISMA Reform. Retrieved from https://www.us-cert.gov/government-users/reporting-requirements
Orszag, P. R., & Schmidt, H. A. (2010, July 6). MEMORANDUM FOR THE HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES [Letter]. Https://www.whitehouse.gov/sites/default/files/omb/assets/memoranda_2010/m10-28.pdf.