Federal Information Security Management Act (FISMA) Compliance Management and Oversight

A Strategy for Successful Information Technology Infrastructure Management and Oversight

The Federal Information Security Management Act of 2002 (FISMA) established mandates on government agencies, relative to information and information systems. Within a Federal agency, FISMA is designed to enhance the effectiveness of information security, government-wide management of information security risks, develop controls for information and information security systems, and provide for effective oversight of Federal agency information security programs. FISMA identifies a series of specific actions that Federal agencies must undertake in order to ensure compliance with its mandates. These include periodic risk assessments, the development of information security policies and procedures, security awareness training, procedures for detecting and reporting security incidents, plans for continuity of operations, annual reporting on the security program's effectiveness, and various other actions.

How we Can Assist Agency Program Managers withManagement and Oversight of IT Security Programs

  • Administrative support throughout the IT Security life cycle
  • Performance of comprehensive FISMA audits
  • Development of IT security policies and procedures
  • Development, marketing, and conducting of Enterprise Security Awareness programs
  • Assistance with the development and implementation of audit findings remediation plans
  • Preparation of Cost Benefit Analyses (300Bs) under the Clinger-Cohen Act
  • Assistance with annual reporting

Some of Our Relevant Experience

  • Provided comprehensive FISMA compliance review services to the Department of State. These services were provided for systems utilized world -wide and encompassed such tasks as reviews of the major systems inventory, certification and accreditation process, configuration management, E-Authentication controls, Plans of Action and Milestone (POAM), Privacy Act compliance, and incident reporting. This engagement was conducted using NIST and OMB standards and review programs.
  • Provided Information Systems Security Audits of Access Controls to the US Agency for International Development. These services were provided in support of the Government Management Reform Act, and included the application of standards as enumerated in the GAO's Federal Information System Controls Audit Manual (FISCAM ) and incorporated a broad range of vulnerability assessments of systems.
  • Provided Independent Verification and Validation of IT Security Audit findings of the Architect of the Capitol's General Support Systems. This included Unix, AS400, LAN Windows, Novell, Blackberry and Oracle resources that support over 40 applications in an on-site data center and a separate hot site maintained for disaster recovery.
  • Provided Enterprise Security Awareness Training (ESAT) to the Department of Housing and Urban Development. The objectives of the ESAT program were to provide full awareness training, relative to Critical Infrastructure Protection (CIP), to 9,300 HUD employees in the form of instructor-led, web-based, and Computer-Based Training (CBT). Services were conducted in accordance with FISMA, Presidential Decision Directive 63 and 67, NIST Special Publication 800-16, and OMB Circular A-130.
  • Prepared numerous Cost Benefit Analyses of Information Technology Investments under the Clinger-Cohen Act to CMS. These services consisted of preparing baseline Cost Benefit Analyses (CBAs) and variance analyses on major IT investment projects, data gathering, conducting industry research on technology initiatives, performing project cost benchmarking, and preparing Forms 300B.