OIG: FISMA

<!DOCTYPE html> <html> <head> <meta charset="utf-8"/> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"/> <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"/> <meta property="og:title" content="OIG: FISMA"/> <meta property="og:image" content="https://oig.federalreserve.gov/images/OIG-twitter-card-small.png"/> <meta property="og:description" content="The OIG provides independent oversight of the Board and the CFPB to improve their programs and operations and to prevent and detect fraud, waste, and abuse."/> <meta property="og:url" content="https://oig.federalreserve.gov/fisma.htm" /> <meta name="twitter:card" content="summary" /> <meta name="twitter:site" content="@OIGFedCFPB" /> <meta name="twitter:title" content="FISMA" /> <meta name="twitter:description" content="Review of agency programs and operations." /> <meta name="twitter:image" content="https://oig.federalreserve.gov/images/OIG-twitter-card-small.png" /> <meta name="twitter:image:alt" content="Seal of the Office of Inspector General" /> <title> OIG: FISMA </title> <link rel="icon" type="image/x-icon" href="/gifjpg/favicon.ico"/> <link href="/_/includes/main.css" rel="stylesheet" type="text/css" media="screen"/> <link href="/_/includes/print.css" rel="stylesheet" type="text/css" media="print"/>  <style type="text/css"> .share-page{margin-bottom: 30px;} .icon-email-link, .icon-twitter, .icon-signup-email-updates, .icon-rss {color:#00416B;font-size: 1.8em;} .share-this-page li{float: left;} .icon-email-link{left: 30px;} .stay-connected ul li a {color: #666;font-weight: normal;height: 30px;padding-left: 0;padding-right: 0;text-decoration: none;width: 30px;} .stay-connected ul li {font-size: 12px;padding-bottom: 0;} .twitter-link{left: 40px;} .linkedin-link{left: 80px;} .stay-connected-container li{padding-bottom: 0;} .stay-connected-container .rss-link{margin-left: 40px;} .stay-connected-container .twitter-link{left: 80px;} .stay-connected-container .linkedin-link{left: 120px;} .icon-linkedin{ background-image: url("/_/includes/images/linkdin-icon-21px.png"); background-repeat: no-repeat;display: block;width: 37px;height: 30px; } .icon-twitter-svg{ background-image: url("/_/includes/images/Twitter_Logo_Blue.svg"); background-repeat: no-repeat;background-position: -9px -9px;display: block; width: 40px; height: 40px; } </style> <script type="text/javascript" language="javascript" src="/resources/exit_Disclaimer.js"></script> </head> <body> <noscript><div class="external-links-disclaimer"><p> If you are seeing this message, Javascript is disabled. Disclaimer for all external links found on this page: The Office of Inspector General (OIG) for the Board of Governors of the Federal Reserve System and the Consumer Financial Protection Bureau does not necessarily endorse the views expressed or the facts presented on the external sites. The OIG does not endorse any commercial products that may be advertised or on the external sites. The OIG's privacy policy does not apply on the external sites. Please check the site for its privacy notice. </p></div></noscript> <div id="skiptonav"><a href="#primary-navigation">Skip to Navigation</a></div> <div id="skiptocontent"> <a href="#maincontent">Skip to Main content</a> </div> <div id="supplementary-navigation-con" class="con"> <div id="supplementary-navigation" class="nav container clearfix"> <button class="icon-search"></button> <button class="icon-toggle icon-list"></button> <a href="/hotline.htm" class="mobile-hotline">Hotline</a> <ul> <li><a href="/faq-about-oig.htm">FAQs</a></li><li><a href="/careers.htm">Careers</a></li><li><a href="/contact-us.htm">Contact Us</a></li> </ul> </div> </div> <div class="container">  <div class="svg-test BrandImage" id="branding"> <a title="OIG Home" href="/default.htm"> <svg width="100%" height="100%"> <title>OIG Home</title> <image xlink:href="/images/oig-logotype.svg" src="/images/oig-logotype.png" width="100%" height="100%" /> </svg> </a> </div> <div class="seal2"> <a title="OIG Home" href="/default.htm"> <svg width="100%" height="100%"> <title>OIG Home</title> <image xlink:href="/images/oig-seal-hdr-embed.svg" src="/images/oig-seal-hdr.png" width="100%" height="100%" /> </svg> </a> </div> <form id="search" action="//www.fedsearch.org/oig_search/search" method="get"> <div> <label for="searchbox">Search full text of reports and pages:</label> <input type="text" id="searchbox" name="text" value=""/> <a href="javascript:void(0)" onclick="document.getElementById('search').submit();"> <span class="icon-search"></span> <span class="screen-reader">Search</span> </a> </div> </form> </div> <div class="con" id="primary-navigation-con"> <div class="nav container clearfix" id="primary-navigation"> <ul class="nav"> <li class="dropdown"> <a class="dropdown-toggle" data-toggle="dropdown" href="/aboutus.htm">About Us</a> <a class="sub-nav-toggle"><span class="icon-chevron-down"></span></a> <ul class="sub-nav"> <li class="dropdown"> <a href="/introduction.htm">Introduction to the OIG</a> </li> <li class="dropdown"> <a href="/the-inspector-general.htm">The Inspector General</a> </li> <li class="dropdown"> <a href="/senior-leadership.htm">Senior Leadership</a> </li> <li class="dropdown"> <a href="/strategic-plan.htm">Strategic Plan</a> </li> <li class="dropdown"> <a href="/inspector-general-act.htm">Inspector General Act</a> </li> <li class="dropdown"> <a href="/board-activity.htm">Board Activity</a> </li> <li class="dropdown"> <a href="/cfpb-activity.htm">CFPB Activity</a> </li> <li class="dropdown"> <a href="/pandemic-oversight.htm">Pandemic Response Oversight</a> </li> <li class="dropdown"> <a href="/faq-about-oig.htm">FAQs</a> </li> </ul> </li> <li class="dropdown"> <a class="dropdown-toggle" data-toggle="dropdown" href="/reports.htm">Reports</a> <a class="sub-nav-toggle"><span class="icon-chevron-down"></span></a> <ul class="sub-nav"> <li class="dropdown"> <a href="/reports/audit-reports.htm">Audit Reports</a> </li> <li class="dropdown"> <a href="/reports/work-plan.htm">Work Plan</a> </li> <li class="dropdown"> <a href="/reports/semiannual-report-to-congress.htm">Semiannual Reports to Congress</a> </li> <li class="dropdown"> <a href="/reports/major-management-challenges.htm">Major Management Challenges</a> </li> <li class="dropdown"> <a href="/reports/open-recommendations.htm">Open Recommendations</a> </li> <li class="dropdown"> <a href="/reports/peer-reviews.htm">Peer Reviews</a> </li> </ul> </li> <li class="dropdown"> <a class="dropdown-toggle" data-toggle="dropdown" href="/audits.htm">Audits</a> <a class="sub-nav-toggle"><span class="icon-chevron-down"></span></a> <ul class="sub-nav"> <li class="dropdown"> <a href="/audits-what-we-do.htm">What We Do</a> </li> <li class="dropdown"> <a href="/audit-oversight-areas.htm">Oversight Areas</a> </li> <li class="dropdown"> <a href="/audit-highlights.htm">Audit Highlights</a> </li> </ul> </li> <li class="dropdown"> <a class="dropdown-toggle" data-toggle="dropdown" href="/investigations.htm">Investigations</a> <a class="sub-nav-toggle"><span class="icon-chevron-down"></span></a> <ul class="sub-nav"> <li class="dropdown"> <a href="/investigations-what-we-do.htm">What We Do</a> </li> <li class="dropdown"> <a href="/fraud-prevention.htm">Fraud Prevention</a> </li> <li class="dropdown"> <a href="/investigations-case-highlights.htm">Case Highlights</a> </li> </ul> </li> <li class="dropdown active"> <a class="dropdown-toggle" data-toggle="dropdown" href="/infotech.htm">Information Technology</a> <a class="sub-nav-toggle"><span class="icon-chevron-down"></span></a> <ul class="sub-nav"> <li class="dropdown"> <a href="/it-what-we-do.htm">What We Do</a> </li> <li class="dropdown Level3Selected"> <a href="/fisma.htm">FISMA</a> </li> <li class="dropdown"> <a href="/data-analytics.htm">Data Analytics</a> </li> </ul> </li> <li class="dropdown"> <a class="dropdown-toggle" data-toggle="dropdown" href="/newsroom.htm">Newsroom</a> <a class="sub-nav-toggle"><span class="icon-chevron-down"></span></a> <ul class="sub-nav"> <li class="dropdown"> <a href="/releases/media-contact.htm">Media Contact Information</a> </li> <li class="dropdown"> <a href="/releases/news-releases.htm">News Releases</a> </li> <li class="dropdown"> <a href="/releases/media-kit.htm">Media Kit</a> </li> </ul> </li> <li class="sup-mobile"><a href="/faq-about-oig.htm">FAQs</a></li><li class="sup-mobile"><a href="/careers.htm">Careers</a></li><li class="sup-mobile"><a href="/contact-us.htm">Contact Us</a></li> </ul> <a href="/hotline.htm"><div class="hotline"><H3>HOTLINE</H3> <P>Report Fraud, Waste, or Abuse</P></div></a> </div> </div> <div class="container landing-page"> <div class="content" id="secondary-content"> <h3 class="label">IN THIS SECTION</h3> <div class="breadcrumbs"> <ul> <li class="dropdown"> <a href="/it-what-we-do.htm">What We Do</a> </li> <li class="dropdown Level3Selected"> <a href="/fisma.htm">FISMA</a> </li> <li class="dropdown"> <a href="/data-analytics.htm">Data Analytics</a> </li> </ul> </div> <div style=""> <span class="skipSection"><a href="#182">Skip SHARE THIS PAGE section</a></span> <div class="section stay-connected share-page share-page"> <h3 class="label">SHARE THIS PAGE</h3> <ul class="share-this-page"> <li class="email-link"><a href="/cdn-cgi/l/email-protection#aaf8cfc9c3dac3cfc4deefc7cbc3c695d9dfc8c0cfc9de97ece3f9e7eb8cc8c5ced397c2dededad9908585c5c3cd84cccfcecfd8cbc6d8cfd9cfd8dccf84cdc5dc85ccc3d9c7cb84c2dec7"><span class="icon-email-link"></span></a></li> <li class="twitter-link"> <script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script><script type="text/javascript">document.writeln("<a href=\"javascript:exitWindow('https%3A%2F%2Ftwitter%2Ecom%2Fshare%3Furl%3Dhttps%3A%2F%2Foig%2Efederalreserve%2Egov/fisma.htm','external',true)\"><span class='icon-twitter-svg'></span></a>");</script> <noscript><a href="https://twitter.com/share?url=https://oig.federalreserve.gov/fisma.htm" target="_blank"><span class='icon-twitter-svg'></span></a></noscript> </li> <li class="linkedin-link"> <script type="text/javascript">document.writeln("<a href=\"javascript:exitWindow('https%3A%2F%2Fwww%2Elinkedin%2Ecom%2FshareArticle%3Fmini%3Dtrue%26url%3Dhttps%3A%2F%2Foig%2Efederalreserve%2Egov/fisma.htm','external',true)\"><span class='icon-linkedin'></span></a>");</script> <noscript><a href="/fisma.htm" target="_blank"><span class='icon-linkedin'></span></a></noscript> </li> </ul> </div> <a id="182" name="182"></a> <span class="skipSection"><a href="#417">Skip STAY CONNECTED section</a></span> <div class="section stay-connected share-page subscribe"> <h3 class="label">STAY CONNECTED</h3> <ul class="stay-connected-container"> <li class="rss-link"></span><a href="/feeds/rss_feeds.htm"><span class="icon-rss"></a></li> <li class="signup"></span><a href="/oig_subscribe.htm"><span class="icon-signup-email-updates"></a></li> <li class="twitter-link"> <script type="text/javascript">document.writeln("<a href=\"javascript:exitWindow('https%3A%2F%2Ftwitter%2Ecom%2FOIGFedCFPB','external',false)\"><span class='icon-twitter-svg'></span></a>");</script> <noscript><a href="https://twitter.com/OIGFedCFPB" target="_blank"><span class='icon-twitter-svg'></span></a></noscript> </li> <li class="linkedin-link"> <script type="text/javascript">document.writeln("<a href=\"javascript:exitWindow('https%3A%2F%2Fwww%2Elinkedin%2Ecom%2Fcompany%2Foig%2Dfederalreserve%2Dcfpb','external',false)\"><span class='icon-linkedin'></span></a>");</script> <noscript><a href="https://twitter.com/OIGFedCFPB" target="_blank"><span class='icon-linkedin'></span></a></noscript> </li> </ul> </div> <a id="417" name="417"></a></div> </div> <div class="content container" id="main-content"> <div class="article"><a id="maincontent"></a> <h1>FISMA</h1> <p>The Federal Information Security Modernization Act of 2014 (FISMA) highlights the importance of information security to the economic and national security interests of the United States. FISMA requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.</p> <p>FISMA has brought attention within the federal government to cybersecurity and explicitly emphasized the need for cost-effective, risk-based security programs. FISMA requires Inspectors General, as well as agency program officials and Chief Information Officers, to conduct annual reviews of the agency's information security program and report the results to the Office of Management and Budget (OMB). OMB uses these data to assist in its oversight responsibilities and to prepare an annual report to Congress on agency compliance with the act.</p> <h2>NIST FISMA Guidance</h2> <p>To produce security standards and guidelines for FISMA, the National Institute of Standards and Technology (NIST) established the FISMA Implementation Project in 2003. The project aims to support the implementation of and compliance with FISMA standards. Per FISMA, an effective information security program should include, among other things,</p> <ul class="list"> <li>periodic assessments of risk, including the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the organization</li> <li>policies and procedures that are based on risk assessments, cost-effectively reduce information security risks to an acceptable level, and ensure that information security is addressed throughout the life cycle of each organizational information system</li> <li>security awareness training to inform personnel of information security risks</li> <li>periodic testing and evaluation of the effectiveness of information security policies, procedures, practices, and security controls</li> <li>a process for planning, implementing, evaluating, and documenting remedial actions to address any deficiencies</li> <li>procedures for detecting, reporting, and responding to security incidents</li> <li>plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the organization</li> </ul> <p>In support of FISMA, OMB requires executive agencies within the federal government to</p> <ul class="list"> <li>plan for security</li> <li>ensure that appropriate officials are assigned security responsibility</li> <li>periodically review the security controls in their information systems</li> <li>authorize system processing prior to operations and periodically thereafter</li> </ul> <p>A key element of the FISMA Implementation Project is NIST's integrated <a href="http://csrc.nist.gov/groups/SMA/fisma/framework.html" target="_blank">Risk Management Framework</a>, which effectively brings together all of the FISMA-related security standards and guidance to promote the development of comprehensive and balanced information security programs by agencies.</p> <h2>OIG Reporting Metrics</h2> <p>OIGs are not expected to conduct their own full risk analysis but rather to evaluate how agencies are evaluating risk and prioritizing security issues. OIGs are encouraged to evaluate agency findings and compare them to existing agency priorities, administration priorities, and key FISMA metrics.</p> <p>Our office assesses the information security programs of the Board and the CFPB in the following seven areas:</p> <ul class="list"> <li>risk management</li> <li>configuration management</li> <li>identity and access management</li> <li>security training</li> <li>information system continuous monitoring</li> <li>incident response</li> <li>contingency planning</li> </ul> <p>We determine the maturity level for each area according to FISMA metrics. We then determine whether specific elements were in place for each program and report the data to OMB.</p> </div> </div>  <div class="right-column"> <h3 class="label">RELATED INFORMATION</h3> <p> <strong>IT FAQs</strong> </p> <a href="/faq-about-oig.htm#information-technology">See common Information Technology questions and answers.</a> </div>  </div> <span id="mobile-placeholder"></span> <div class="wrapper-footer">  <div class="footer container" id="body-footer"> <div class="container about-fed-cfpb"> <h3 class="label">LINKS TO THE BOARD AND THE CFPB</h3> <ul> <li class="fed-seal"><a href="//www.federalreserve.gov/" target="_blank" title="Board of Governors">Board of Governors</a></li> <li class="cfpb-logo"><a href="http://www.consumerfinance.gov/" target="_blank" title="Consumer Financial Protection Bureau">Consumer Financial Protection Bureau</a></li> </ul> </div><div class="container related-sites"> <h3 class="label">RELATED SITES AND RESOURCES</h3> <ul> <li><a href="http://www.gao.gov/" target="_blank">U.S. Government Accountability Office</a></li><li><a href="http://www.ignet.gov/" target="_blank">Council of the Inspectors General on Integrity and Efficiency</a></li><li><a href="http://www.treasury.gov/about/organizational-structure/ig/Pages/Council-of-Inspectors-General-on-Financial-Oversight.aspx" target="_blank">Council of Inspectors General on Financial Oversight</a></li><li><a href="https://oversight.gov/" target="_blank">Oversight.gov</a></li> </ul> <ul > <li><a href="/sitemap.htm">Sitemap</a></li><li><a href="//www.federalreserve.gov/accessibility.htm" target="_blank">Accessibility</a></li><li><a href="//www.federalreserve.gov/disclaimer.htm" target="_blank">Disclaimer</a></li><li><a href="//www.federalreserve.gov/privacy.htm" target="_blank">Privacy</a></li> </ul> <ul > <li><a href="//www.federalreserve.gov/foia/about_foia.htm" target="_blank">FOIA</a></li> <li><a href="//www.federalreserve.gov/eeo.htm" target="_blank">No Fear Act Data</a></li> <li><a href="http://www.usa.gov/" target="_blank"><img src="/gifjpg/usagov_logo_color_notag.gif" title="usa.gov logo: USA.gov is the U.S. government's official web portal to all federal, state, and local government web resources and services" alt="usa.gov logo: USA.gov is the U.S. government's official web portal to all federal, state, and local government web resources and services" style="width: 75px; height: 21px; margin-left: -11px;"/></a></li> </ul> </div> </div> </div> <script type="text/javascript" language="javascript" src="/resources/jquery.min.js"></script> <script src="https://code.jquery.com/ui/1.14.0/jquery-ui.js" integrity="sha256-u0L8aA6Ev3bY2HI4y0CAyr9H8FRWgX4hZ9+K7C2nzdc=" crossorigin="anonymous"></script> <script type="text/javascript"> $(document).ready(function () { $('.accordion-content').hide(); $('.accordion-header').click(function () { $('.accordion-content:visible').slideUp('slow'); $(this).next().slideDown('slow'); }); }); </script> <script type="text/javascript" language="javascript" src="/resources/oig_Custom.js"></script> <script type="text/javascript" language="javascript" src="/resources/_faq.js"></script> <script type="text/javascript" language="javascript" src="/resources/faq.js"></script>  <script>(function(){function c(){var b=a.contentDocument||a.contentWindow.document;if(b){var d=b.createElement('script');d.innerHTML="window.__CF$cv$params={r:'915f38b27c673d98',t:'MTc0MDIyOTg4MS4wMDAwMDA='};var a=document.createElement('script');a.nonce='';a.src='/cdn-cgi/challenge-platform/scripts/jsd/main.js';document.getElementsByTagName('head')[0].appendChild(a);";b.getElementsByTagName('head')[0].appendChild(d)}}if(document.body){var a=document.createElement('iframe');a.height=1;a.width=1;a.style.position='absolute';a.style.top=0;a.style.left=0;a.style.border='none';a.style.visibility='hidden';document.body.appendChild(a);if('loading'!==document.readyState)c();else if(window.addEventListener)document.addEventListener('DOMContentLoaded',c);else{var e=document.onreadystatechange||function(){};document.onreadystatechange=function(b){e(b);'loading'!==document.readyState&&(document.onreadystatechange=e,c())}}}})();</script></body> </html>

CINXE.COM

OIG: FISMA