Checklist will help American organizations comply with FISMA

Modulo Security, the Risk Assessment Compliance and Knowledge Management Company, is launching a new checklist for Risk Manager™, the company's Risk Assessment, Compliance and Knowledge Management System: the FISMA Checklist. The checklist was developed to help government-owned companies in the U.S. comply with the Federal Information Security Management Act (FISMA), a law issued by the American Congress to regulate information security in government organizations.

FISMA

FISMA was passed by the U.S. Congress in 2002, with the purpose of defining a structure to guarantee the effectiveness of controls regarding information security in federal government operations. The law requires federal agencies to implement comprehensive information security programs aimed at identifying and solving risks in the government's IT area, which includes government agencies such as the Department of Defense (DoD) and the Central Intelligence Agency (CIA).

The National Institute of Standards and Technology (NIST) is responsible for developing the American government's technical security standards and for defining the controls to be implemented by government organizations. For this purpose, NIST has developed a set of controls for compliance with FISMA, which are specified in the document "Recommended Security Controls for Federal Information Systems". "The new FISMA checklist was developed based on the document issued by NIST and on the controls it contains, which include Access Control, Awareness and Training, Audit and Accountability, Configuration Management and Contingency Planning", says Alberto Bastos, founding partner of Modulo Security.

In addition to controlling the activities performed by federal organizations, FISMA also requires these institutions to send annual reports, developed in cooperation with independent internal and external auditors, to the Office of Management and Budget (OMB) stating the security situation of their IT Departments.

New Checklist

Using this new checklist, security managers of federal agencies will be able to verify compliance with the controls set by NIST for compliance with FISMA. Additionally, the system makes it possible to generate an action plan (as defined in the model "Plan of Action in Milestone" - POA&M"), directed toward increasing observance of the regulations imposed by the American Congress.

In this way, managers can focus their actions on what actually generates more risk to information security, using the data on the checklist to collect information and recommend best practices for security maintenance and compliance with FISMA.

For a better understanding of how Risk Manager™ can help these professionals, here are some of the benefits of using the FISMA checklist:

• Automatic application of the controls and specifications established by NIST.
• Managerial reports that allow assessment of the risk level to which the IT department is exposed.
• Technical advice on implementing controls and minimizing security risks and failures.
• Dissemination of knowledge throughout the organization thanks to a permanently-updated knowledge base.
• Automatic issuance of reports to support planning of security actions.
• Action plan and action priorities set as defined in the "Plan of Action and Milestone" model (POA&M).