The Federal Information Security Management Act (FISMA) is an attempt by the US government to protect its assets and information from cyber threats. It establishes a comprehensive framework of security best practices that entities dealing with the government have to comply with.
- While the April 2013 amendments to the FISMA Act was the first since 2002, FISMA best practices are not static, and keep on changing from time to time. Every year, the Office of Management and Budget (OMB), Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST) create new standards, processes, and solutions that streamline and automate security. Recent updates focus on continuous monitoring and near-real time awareness of security awareness, a marked departure from the hitherto “checkbox” mentality of simply ensuring that the required security layer is in place.
- FISMA standards are not absolute. FISMA defines three levels of threat : low, moderate and high, based on the potential impact of a security breach. Providers could claim to any of these status depending on the extent to which they comply with the required stipulations. A FISMA “moderate” status, for instance, means that a breach could result in “moderate” damage in terms of loss of “confidentiality, integrity or availability.”
- Similarly, FISMA standards are flexible in allowing different methods to reach a specific objective. For instance, while FISMA standards mandate hash algorithm, there is nothing in FISMA that ties up the vendor from deploying a specific algorithm.
The ultimate responsibility for adhering to the FISMA requirements rests on government officials, but data centers have a crucial role in ensuring that the government department or the business that handles government data can comply with the requirements. It is important to not just select a data center that has the necessary infrastructure in place, but is also resilient enough to update and make tweaks as and when the regulations change.