Federal Information Security Management Act and Agency Privacy Management (FISMA)

• Overview and Requirements
• Policies and Procedures
• Roles and Responsibilities
• Education and Outreach
• Frequently Asked Questions
• Definitions
• References

Overview and Requirements

The Department of Health and Human Services (HHS) prepares an annual Federal Information Security Management Act and Agency Privacy Management (FISMA) report as required under the E-Government Act of 2002. The report inventories agency information technology (IT) systems and the steps that each agency has taken to protect the systems. The annual submission includes a privacy section (Section D) which highlights significant accomplishments in implementing requirements of the Privacy Act and E-Government Act. The report also describes key areas of progress that lead to improved performance in delivering programs and services to HHS constituents. As an Operating Division (OPDIV) of HHS, NIH is required to complete the annual FISMA report for consolidation with other OPDIV reports, and submission by the Department to the Office of Management and Budget (OMB). The consolidated FISMA report is used by OMB to produce the Report to Congress on the Benefits of the E-Government Initiatives. After review, Congress provides grades for each agency based on its assessment of overall agency compliance with FISMA requirements.

FISMA requires:

• The establishment of a new agency within the OMB, the Office of Electronic Government, which will be responsible for electronic information management and for promoting interagency cooperation to improve public services;
• Agency officials, Chief Information Officers (CIO), and Inspector Generals (IG) to conduct annual reviews of agency information security programs and report the results to the OMB;
• Agencies to perform management, evaluation, and reporting activities, such as conducting annual self-assessments and independent assessments by the agency’s IG;
• Regulatory agencies and courts to establish websites to post actions, judgments, and judicial rulings;
• Agencies to help identify information technology opportunities to improve the efficiency of government-to-business transactions; and
• Senior Agency Officials for Privacy (SAOPs) to conduct surveys which report the status and quality of the Department’s privacy program to OMB.

Policies and Procedures

NIH Manual 1745 - Information Technology (IT) Privacy Program:
https://www3.od.nih.gov/oma/manualchapters/management/1745/

Roles and Responsibilities (e.g., POCs)

NIH Manual 1745 - Information Technology (IT) Privacy Program:
https://www3.od.nih.gov/oma/manualchapters/management/1745/

Education and Outreach

NIH Privacy Awareness Training:
http://irtsectraining.nih.gov

Frequently Asked Questions (FAQs)

1. What is FISMA's purpose?

• Inform and raise awareness among Federal agency heads of the importance of information security programs;
• Facilitate the development of security programs through mandatory comprehensive reporting and evaluation; and
• Ensure that federal agencies take the necessary precautions to secure agency IT systems and protect personally identifiable information (PII) and mitigate the risk of a breach to PII.

2. What are the major components of the FISMA Section D report?

• Inventory of Systems that Contain Federal Information in Identifiable Form which require a Privacy Impact Assessment (PIA) or System of Records Notice (SORN);
• Links to PIAs and SORNs;
• Senior Agency Official for Privacy (SAOP) Responsibilities;
• Information Privacy Training and Awareness;
• PIA and Web Privacy Policies and Processes;
• Policy Compliance;
• Agency Use of Persistent Tracking Technology; and
• Privacy Points of Contact.

3. What is the FISMA report process/timeline?

• While FISMA compliance is an ongoing process, which requires quality reviews, the final annual report is due at the end of the Federal fiscal year (September 30);
• All FISMA report data is collected approximately two months in advance of the report deadline in order to compile the data and promote it, through the Department, to the IG; and
• Agencies must continually monitor IT systems and privacy procedures and responsibilities to ensure that OPDIVs are compliant with Federal IT and privacy laws.

Definitions

Accreditation: The official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operation (including mission, function, image, or reputation), agency assets, or individuals based on the implementation of an agreed-upon set of security controls. (Defined in NIST SP 800-37, "Guide for the Security Certification and Accreditation of Federal Information Systems," Appendix B).

Certification: A comprehensive assessment of the management, operational, and technical security controls in an information system made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. (Defined in NIST SP 800-37, Appendix B).

Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. (Defined in NIST SP 800-53, "Recommended Security Controls for Federal Information Systems," Appendix B).

Major Change: Any change that is made to the system environment or operation of the system. According to OMB Memorandum M-03-22, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, PIAs should be conducted following any major changes, including, but not limited to

• Conversions: A conversion from paper-based methods to electronic systems;
• Anonymous to Non-Anonymous: When the system’s function, as applied to an existing information collection, changes anonymous information into IIF;
• Significant System Management Changes: In the case that new uses of an existing IT system, including application of new technologies, significantly change the process of managing IIF in the system;
• Significant Merging: When agencies adopt or alter business processes so that government databases holding IIF are merged, centralized, matched with other databases, or otherwise significantly manipulated;
• New Public Access: When user-authenticating technology (e.g., password, digital certificate, biometric) is newly applied to an electronic information system, which can be accessed by the public;
• Commercial Sources: When IIF is obtained from commercial or public sources and is systematically integrated into the existing information systems databases;
• New Interagency Uses: When agencies work together on shared functions involving significant new uses or exchanges of IIF;
• Internal Flow or Collection: When alteration of a business process results in significant new uses or disclosures of information or incorporation into the system of additional IIF; and
• Alteration in Character of Data: When new IIF added to a collection raises the risk to personal privacy, such as the addition of health or privacy information.

(Defined in Secure One HHS Information Security Program Privacy Impact Assessment (PIA) Guide).

Personally Identifiable Information (PII): Any information about an individual maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and information which can be used to distinguish or trace an individual's identity, such as their name, social security number, date and place of birth, mother’s maiden name, biometric records, etc., including any other personal information which is linked or linkable to an individual. (Defined in OMB Memorandum M-06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments).

Note: The acronyms PII and IIF are often used interchangeably.

Plan of Action and Milestones (POA&M): A POA&M is a management process that outlines weaknesses and delineates the tasks necessary to mitigate them. The HHS Information Security Program POA&M process is used to facilitate the remediation of information security program- and system-level weaknesses, and provides a means for:

• Planning and monitoring corrective actions;
• Defining roles and responsibilities for weakness resolution;
• Assisting in identifying the security funding requirements necessary to mitigate weaknesses;
• Tracking and prioritizing resources; and
• Informing decision makers.

(Defined in the HHS POA&M Guide).

Risk: The net mission impact considering (1) the probability that a particular threat-source will exercise (accidentally trigger or intentionally exploit) a particular information system vulnerability and (2) the resulting impact if this should occur. IT-related risks arise from legal liability or mission loss due to:

• Unauthorized (malicious or accidental) disclosure, modification, or destruction of information;
• Unintentional errors and omissions;
• IT disruptions due to natural or man-made disasters; or
• Failure to exercise due care and diligence in the implementation and operation of the information system.

(Defined in NIST SP 800-30, "Risk Management Guide for Information Technology Systems," Appendix E).

Risk Assessment: The process of identifying risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals by determining the probability of occurrence, the resulting impact, and additional security controls that would mitigate this impact. Part of risk management, synonymous with risk analysis, and incorporates threat and vulnerability analyses. (Defined in NIST SP 800-30, Appendix E).

System: A collection of computing and/or communications components and other resources that support one or more functional objectives of an organization. IT system resources include any IT component plus associated manual procedures and physical facilities that are used in the acquisition, storage, manipulation, display, and/or movement of data or to direct or monitor operating procedures. An IT system may consist of one or more computers and their related resources of any size. The resources that comprise a system do not have to be physically connected. (Defined in NIST SP 800-16, Appendix C.).

Threat: Any circumstance or event with the potential to adversely impact agency operations (including mission, functions, image, or reputation), agency assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. (Defined in NIST SP 800-53, Appendix B).

References

White House E-Government Act Website:
http://www.whitehouse.gov/omb/egov/

The E-Government Act of 2002 (see Title III):
http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_public_laws&docid=f:publ347.107.pdf

Federal Information Security Management Act 2002, Title III, the full text:
http://csrc.nist.gov/drivers/documents/FISMA-final.pdf

Privacy Act of 1974 (5 U.S.C. Section 552a, as amended):
http://www.usdoj.gov/oip/privstat.htm
http://www.usdoj.gov/oip/04_7_1.html

Report to Congress on the Benefits of the E-Government Initiatives:
http://www.whitehouse.gov/omb/egov/g-10-Section_841.html

OMB Memorandum M-03-22 issued in September 2003:
http://www.whitehouse.gov/omb/memoranda/m03-22.html

OMB Memorandum M-05-15 issued in June 2005:
http://www.whitehouse.gov/omb/memoranda/fy2005/m05-15.html

OMB Memorandum M-06-15 issued in May 2006:
http://www.whitehouse.gov/omb/memoranda/fy2006/m-06-15.pdf

OMB Memorandum M-07-19 issued in July 2007:
http://www.whitehouse.gov/omb/memoranda/fy2007/m07-19.pdf

NIH, HHS, and Federal Privacy Act Systems of Records Notices (SORNs):
http://oma.od.nih.gov/ms/privacy/pa-files/read02systems.htm

NIH Manual 1745 - Information Technology (IT) Privacy Program:
https://www3.od.nih.gov/oma/manualchapters/management/1745/

NIH IT General Rules of Behavior:
http://ocio.nih.gov/security/nihitrob.html

Return to the top