FISMA

Summary

The Federal Information Security Management Act (FISMA) was originally passed in 2002 as part of the Electronic Government Act. FISMA defines a framework of guidelines and security standards to protect government information and operations. FISMA requires all federal agencies to develop, document and implement agency-wide information security programs. NIST SP 800-53 serves as the primary resource that federal agencies use to implement the security controls required by FISMA. The IDs for these controls correspond to those of the NIST 800-53 standard. The version used for this section is NIST 800-53, Rev. 5, September 2020.

Definitions

Definition	Requirements
FISMA-AC-2_2. Removal of temporary or emergency accounts	023. Terminate inactive user sessions 027. Allow session lockout
FISMA-AC-2_3. Disable accounts	144. Remove inactive accounts periodically
FISMA-AC-2_4. Automated audit actions	301. Notify configuration changes
FISMA-AC-2_6. Dynamic privilege management	095. Define users with privileges 096. Set user's required privileges
FISMA-AC-2_7a. Establish and administer privileged user accounts	095. Define users with privileges 096. Set user's required privileges
FISMA-AC-2_7b. Monitor privileged role or attribute assignments	095. Define users with privileges 096. Set user's required privileges
FISMA-AC-2_7c. Monitor changes to roles or attributes	095. Define users with privileges 096. Set user's required privileges
FISMA-AC-2_10. Shared and group account credential change	144. Remove inactive accounts periodically
FISMA-AC-2_13. Disable accounts for high-risk individuals	144. Remove inactive accounts periodically 027. Allow session lockout
FISMA-AC-6. Least privilege	186. Use the principle of least privilege
FISMA-AC-12. Session termination	369. Set a maximum lifetime in sessions 023. Terminate inactive user sessions
FISMA-AC-18_5. Antennas and transmission power levels	249. Locate access points
FISMA-IA-1. Policy and procedures	229. Request access credentials
FISMA-IA-2. Identification and authentication (organizational users)	121. Guarantee uniqueness of emails 229. Request access credentials 257. Access based on user credentials 265. Restrict access to critical processes
FISMA-IA-7. Cryptographic module authentication	147. Use pre-existent mechanisms 224. Use secure cryptographic mechanisms
FISMA-PL-4_1. Social media and external site/applications usage restrictions	260. Use alternative emails
FISMA-SC-3. Security function isolation	235. Define credential interface

Last updated

2024/01/12