FISMA Fundamentals
The Department of the Navy (DON) is required to comply with the Federal Information Security Management Act of 2002 (FISMA) also known as Title III of the E-Government Act of 2002. FISMA requires each federal agency to provide information security for its information technology (IT) assets. The purpose of FISMA is to provide a framework for enhancing the effectiveness of information security in the federal government. FISMA also provides a mechanism for effective oversight of federal agency information security programs.
The director of the Office of Management and Budget (OMB) oversees FISMA compliance. The DON reports FISMA status to the Assistant Secretary of Defense (Networks and Information Integration) (ASD/NII), which consolidates all Department of Defense (DoD) input and reports to OMB. This article explains the importance of accurate and timely reporting of FISMA data.
FISMA Reporting Using the IT Registry
The DoD Information Technology Registry serves as a technical repository to support chief information officers' (CIO) assessments and maintains an IT system inventory to comply with Congressional requirements. The Office of the Secretary of Defense (OSD) uses data from the DoD IT Registry to compile reports regarding FISMA status.
The DON uses its own DON IT Registry to record the certification and accreditation (C&A) status of mission critical (MC), mission essential (ME), and mission support (MS) DON systems and networks. The DON uploads this data quarterly (March 1, June 1, Sept. 1 and Dec.1) into the DoD IT Registry. Data from the DoD IT Registry is used to report FISMA status for the entire DoD to OMB and Congress. The DON must improve the recording and reporting of IT systems data to increase compliance with OSD and OMB FISMA requirements. Punctual and accurate reporting of DON IT systems is key to validating DON compliance with security requirements and justifying funding for IT security tasks.
Key Issues for FISMA Compliance
Three key areas of FISMA compliance that affect the DON are: (1) reporting the certification and accreditation status of DON IT systems; (2) the DON Plan of Action and Milestones (POA&M); and (3) the status of information systems privacy management.
The Secretary of the Navy directed the DON to reach and sustain 90 percent or greater certification and accreditation status for DON systems and networks. This C&A compliance rate is required by the President's Management Agenda for 2005.
OMB requires federal agency CIOs to monitor the status of information security weaknesses, including the lack of full accreditation in POA&Ms for each system and network. OMB reviews POA&Ms for systems for which a Capital Asset Plan and Justifications (known as OMB Exhibit 300) is submitted. The Department of the Navy Chief Information Officer (DON CIO) retains other system POA&Ms and provides a summary report to OSD quarterly.
The DON CIO is responsible for DON compliance with Section 208, Privacy Provisions of the E-Government Act of 2002. OMB Memorandum 03-22, "Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002," issued Sept. 26, 2003, provides OMB requirements for compliance with the E-Government Act and states the conditions in which a Privacy Impact Assessment is required for an IT system. The DON CIO has developed a Privacy Impact Assessment, which is available on the DON CIO Web site. (See the Reference Links box for information.)
In fiscal year 2005, OMB introduced a new privacy management section of FISMA reporting, which removes privacy compliance reporting from the annual E-Government Act report to the annual FISMA report.
OMB FISMA Guidance for FY 2005
In 2005, OMB issued M-05-15, "FY 2005 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Manageme