The OriginsThe Federal Information Security Management Act (FISMA) came into being as part of the Electronic Government Act of 2002. The law recognizes the importance of keeping documents and information firmly within the control of the agency that is tasked with using it and ensuring it is only released through channels allowed by current laws. As part of FISMA, the directive was for each agency to develop programs designed to protect data and distribute it in ways that are in compliance with current laws and regulations.
What It’s All AboutThe key provisions found in NIST 800-53 are:
- Control of access to data: Who has it, what it takes to get to it and what is done to revoke access if necessary.
- A plan for recurring audits and full accountability: This includes reviews of how the provisions within the agency are working, any irregularities identified since the last audit and even how the current revisions are working. The audit also seeks to determine the origin of any existing issues and how to go about resolving them.
- Structured training: Ensures agency personnel understand how to operate within the confines of the current recommendations. This includes provisions for remedial training and training for any recently released revisions.
- Configuration and management: All historical as well as recently acquired data. The plan is to ensure data collection is uniform and easy to access by authorized personnel and that the integrity of the data is protected.
- Proper authentication and identification: This includes the creation and issuance of logins and other credentials to authorized personnel. It also includes provisions for revoking credentials and ensuring personnel who no longer require access cannot use their codes to regain access.
- Preparing for contingencies: Ranges from planning related to a temporary shutdown of the system to activating security measures that contain data breaches.
- System maintenance: Routine and regular schedule for maintaining all hardware and software, including regular checks for efficiency and any evidence of attempted breaches.
Tips to Help With ComplianceAgencies and corporations that seek government issued contracts must comply with the provisions found in NIST 800-53. They have one calendar year from the official release of a revision to bring their operations into full compliance. During that time, there are several key strategies for ensuring they are fully compliant within that time frame.
What Does the Future Hold?The current version of NIST 800-53 was released in 2014. In 2017, a proposed update known as Revision 5.0 was made available for public viewing. Along with some changes in the text, the revision indicated that the standards found in the document would apply to a wider range of organizations, including federal agencies that were exempt in the past. The final edition of Revision 5.0 is tentatively set for release in March 2019. At that point, federal, non-federal and agencies with government contracts will be expected to review the updates and begin the process of complying with the new standards. Even if your business does not have any contracts with a government entity, monitoring the release and provisions within the latest version of NIST 800-53 would be in your best interest. Doing so will be especially helpful since the new version may help set new standards for private business networks.