What name is given to an act of Congress to recognize the importance of information security to United States interests?
* Show
Assistant Professor of Cybersecurity Law, United States Naval Academy. J.D., Georgetown University Law Center; M.P.P., B.A., University of Michigan. The views expressed in this Article are only those of the Author and do not represent the views of the United States Naval Academy, Department of Navy, or Department of Defense. Thanks to LCDR Joseph Hatfield, Chris Inglis, Martin Libicki, and other colleagues at the Naval Academy’s Cyber Science Department for frequent discussions on the issues covered in the article, and to the staff of the Iowa Law Review for their excellent editorial work. What is FOIA?Since 1967, the Freedom of Information Act (FOIA) has provided the public the right to request access to records from any federal agency. It is often described as the law that keeps citizens in the know about their government. Federal agencies are required to disclose any information requested under the FOIA unless it falls under one of nine exemptions which protect interests such as personal privacy, national security, and law enforcement. The FOIA also requires agencies to proactively post online certain categories of information, including frequently requested records. As Congress, the President, and the Supreme Court have all recognized, the FOIA is a vital part of our democracy. What is the Presumption of Openness and Who Issues Guidance to Agencies on the FOIA?The FOIA provides that when processing requests, agencies should withhold information only if they reasonably foresee that disclosure would harm an interest protected by an exemption, or if disclosure is prohibited by law. Agencies should also consider whether partial disclosure of information is possible whenever they determine that full disclosure is not possible and they should take reasonable steps to segregate and release nonexempt information. The Office of Information Policy at the Department of Justice is responsible for issuing government-wide guidance on the FOIA as part of its responsibilities to encourage all agencies to fully comply with both the letter and the spirit of the FOIA. The Federal Information Security Management Act (FISMA) is United States legislation that defines a framework of guidelines and security standards to protect government information and operations. This risk management framework was signed into law as part of the Electronic Government Act of 2002, and later updated and amended. Since 2002, FISMA's scope has widened to apply to state agencies that administer federal programs, or private businesses and service providers that hold a contract with the U.S. government. Reduced federal funding or other penalties may result from noncompliance. The Electronic Government Act was introduced in order to improve the management of electronic government services and processes, while also managing federal spending around information security. FISMA was one of the more important regulations in the Electronic Government Act since it brought forth a method to reduce federal data security risks while emphasizing cost-effectiveness. A set of security policies were made for federal agencies to meet. Specifically, FISMA requires federal agencies, and others it applies to, to develop, document and implement agency-wide information security programs. These programs should be able to protect sensitive data. The act also pushes some responsibilities to the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB). Agency officials, like chief information officers and inspector generals, should conduct annual reviews of an agency's information security program, reporting those reviews to OMB. OMB will then use the data to assist in its oversight responsibilities as well as forwarding annual reports to Congress. NIST is tasked with developing information regarding standards and guidelines such as minimum security requirements. FISMA complianceFISMA assigns responsibilities to various agencies to ensure the security of data in the federal government. The act requires program officials, and the head of each agency, to conduct annual reviews of information security programs, with the intent of keeping risks at or below specified acceptable levels in a cost-effective, timely and efficient manner. The NIST outlines numerous steps toward compliance with FISMA:
These are some of the major steps. Other steps include determining the agency-level risk to the business case and authorizing information systems for processing. FISMA compliance best practicesTo ensure compliance with FISMA, here are some best practices to follow:
Pros and cons of FISMAFISMA allows for:
There are also concerns around FISMA, though. For example:
FISMA is best used as a starting point for implementing security measures. This was last updated in September 2020 Continue Reading About Federal Information Security Management Act (FISMA)
Dig Deeper on Security operations and management
Which of the following acts is used to recognize the importance of information security to the economic and national security interests of the United States?Explanation. The Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002. The act recognized the importance of information security to the economic and national security interests of the United States.
What does FISMA Act do?FISMA requires federal agencies to implement a mandatory set of processes and system controls designed to ensure the confidentiality, integrity, and availability of system-related information.
What is FISMA stand for?The Federal Information Security Modernization Act of 2014 amends the Federal Information Security Management Act of 2002 (FISMA).
What is FISMA policy?FISMA 2002 requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other sources.
|