Federal Information Security Management Act (FISMA) report
This report displays FISMA issues found on your site. Many web application vulnerabilities might lead to security breaches of personal information, directly or indirectly, and might be considered as violations of the regulation.
Why it matters
The Federal Information Security Management Act (FISMA) was passed by Congress and signed into law by the President as part of the Electronic Government Act of 2002. It provides a framework to ensure comprehensive measures are taken to secure federal information and assets. FISMA compliance is a matter of national security, and is therefore scrutinized at the highest level of government. Because the Act applies to the information and information systems used by the agency, contractors, and other organizations, it has a wider applicability than previous security laws. Agency IT security programs apply to all organizations that possess or use Federal information - or which operate, use, or have access to Federal information systems - on behalf of a Federal agency, including contractors, grantees, State and local governments, and industry partners. Therefore, Federal security requirements continue to apply, making the agency responsible for ensuring appropriate security controls.Federal agencies must transmit an annual report on their compliance with IT security requirements to the Office of Management and Budget (OMB) by October of each year. OMB uses the reports to help evaluate government-wide security performance, develop its annual security report to Congress, assist in improving and maintaining adequate agency security performance, and inform development of the E-Government Scorecard under the President's Management Agenda. The report must summarize the results of annual IT security reviews of systems and programs, and any progress the agency has made toward fulfilling their FISMA goals and milestones.
FISMA compliance requires detailed reporting and measurements on cyber security for the agency, both on the existing risks as well as the remediation plans. Verifying compliance for every IT system within the organization requires comprehensive validation testing and remediation planning with coordinated reporting and information flow to allow the Agency head to accurately report on their current FISMA compliance status.
Organizations lacking a centralized IT function and the foundational processes and procedures required for testing and reporting on the various IT systems must build this infrastructure from scratch and are under significant time pressure, which in turn leaves little room for error. Most government agencies have hundreds, if not thousands, of systems that comprise the IT/IS infrastructure. These numbers exacerbate the compliance reporting requirements and ultimately lead to FISMA compliance failure. Coupled with limited funding and potential misinterpretations of the requirements, many agencies are in dire compliance shape.
| Control Number | Control |
|---|---|
| AC-2(2) | Automatically [Selection: remove; disable] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account]. |
| AC-4 | Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies]. |
| AC-6 | Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks. |
| AC-7 a. | Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period] |
| AC-10 | Limit the number of concurrent sessions for each [Assignment: organization-defined account and/or account type] to [Assignment: organization-defined number]. |
| AC-12 | Automatically terminate a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect] |
| AC-17 | a. Establish and document usage restrictions, configuration/connection requirements,
and implementation guidance for each type of remote access allowed; and b. Authorize each type of remote access to the system prior to allowing such connections. |
| CM-7 | a. Configure the system to provide only [Assignment: organization-defined mission
essential capabilities]; and b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services]. |
| IA-2 | Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users. |
| IA-4(1) | Prohibit the use of system account identifiers that are the same as public identifiers for individual accounts. |
| IA-5 | Manage system authenticators by: a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator; b. Establishing initial authenticator content for any authenticators issued by the organization; c. Ensuring that authenticators have sufficient strength of mechanism for their intended use; d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators; e. Changing default authenticators prior to first use; f. Changing or refreshing authenticators [Assignment: organization-defined time period by authenticator type] or when [Assignment: organization-defined events] occur; g. Protecting authenticator content from unauthorized disclosure and modification; h. Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and i. Changing authenticators for group or role accounts when membership to those accounts changes. |
| RA-5 | a. Monitor and scan for vulnerabilities in the system and hosted applications
[Assignment: organization-defined frequency and/or randomly in accordance with
organization-defined process] and when new vulnerabilities potentially affecting the
system are identified and reported; b. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
c. Analyze vulnerability scan reports and results from vulnerability monitoring; d. Remediate legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; e. Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and f. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned. |
| SC-5 | a. [Selection: Protect against; Limit] the effects of the following types of
denial-of-service events: [Assignment: organization-defined types of denial-of-service
events]; and b. Employ the following controls to achieve the denial-of-service objective: [Assignment: organization-defined controls by type of denial-of-service event]. |
| SC-8 | Protect the [Selection (one or more): confidentiality; integrity] of transmitted information. |
| SC-13 | a. Determine the [Assignment: organization-defined cryptographic uses];
and b. Implement the following types of cryptography required for each specified cryptographic use: [Assignment: organization-defined types of cryptography for each specified cryptographic use]. |
| SC-23 | Protect the authenticity of communications sessions. |
| SI-3.A | Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code. |
| SI-3.B | Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures. |
| SI-10 | Check the validity of the following information inputs: [Assignment: organization-defined information inputs to the system]. |
| SI-11.A | Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited. |