Application Security's Role in FISMA Compliance

by Fortify

Dec 17, 2009

Download The Federal Information Security Management Act of 2002 provides a comprehensive framework for ensuring effective information security controls for all federal information and assets. The Act aims to bolster computer and network security within the Federal Government by mandating periodic audits. Based on this framework, FISMA mandates that all government agencies report their overall security posture to the Office of Management and Budget, which in turn reports to Congress annually.

In addition, the National Institute of Standards and Technology (NIST) is chartered with developing and issuing standards and guidelines that federal agencies must follow to implement and manage cost-effective FISMA programs. It has created a risk-based framework that federal agencies can use to assess, select, monitor and document security controls for their information systems.

Still, for organizations tasked with complying with FISMA, there are many challenges. As some agencies have learned, putting NIST�s 800-Series guidelines into effect requires more than simple security scans or adherence to a schedule of periodic audit and reporting cycles. Successfully meeting its requirements requires fundamental cross-organizational changes and often intra-agency procedures that often are challenging to affect.

Compliance regulations such as these have been developed to help government agencies ensure that the software that runs their agencies is protected. This CISO�s Guide to FISMA provides a checklist for Government CISO�s to help understand what steps need to be taken to protect their agency�s confidential data and information.