Federal Information Security Modernization Act (FISMA)


The 2021 Federal Information Security Modernization Act (FISMA) requires the head of each Federal agency to provide information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems.

The following document and definitions provide guidances to the RY 2021 FISMA metrics.

Adversarial Testing
Organizations can use adversarial testing to inform themselves of the exploitable vulnerabilities inherent to their network. This testing can be described as Red Team, Penetration Testing, Application testing, or in other terms. In the same way that Continuous Diagnostics and Mitigation can discover previously unknown vulnerabilities, periodic adversarial testing can help organizations identify and mitigate potential risk before it is exploited with malicious intent. For this reason, it is important for all organizations to consider this as part of their risk management program.

Centrally visible at the enterprise-level
Information collected or consolidated by tools or solutions is transmitted via an automated process to a single centralized, continuously reviewed dashboard, report, or alert mechanism with purview over the entire enterprise.

Contractor Operated System
A federal information system that is used or operated by a contractor of an executive agency, or by another organization on behalf of an executive agency.

Controlled Unclassified Information (CUI)
information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, excluding information classified under Executive Order 13526 of December 29, 2009, or the Atomic Energy Act, as amended.

Derived credential
A credential issued based on proof of possession and control of an authenticator associated with a previously issued credential (e.g., a PIV credential), so as not to duplicate the identity proofing process. (NIST SP 800-63-3)

The entire reporting organization that includes each organizational component with a defined mission/goal and a defined boundary, using information systems to execute that mission, and with responsibility for managing its own risks and performance.

Government Furnished Equipment (GFE)
Government Furnished Equipment (GFE) is equipment that is owned and used by the government or made available to a contractor (FAR Part 45).

Hardware assets
Organizations have typically divided these assets into the following categories for internal reporting. The detailed lists under each broad category are illustrative and not exhaustive. (Note: “other input/output devices” should be used to capture other kinds of specialized devices not explicitly called out.)

• Endpoints:

o Servers (including mainframe/minicomputers/midrange computers)
o Workstations (desktops laptops, Tablet PCs, and net-books)
o Virtual machines that can be addressed21 as if they are a separate physical machine
should be counted as separate assets,22 including dynamic and on-demand virtual

Mobile devices:
o Smartphone
o Tablets
o Pagers

• Networking devices:

o Modems/routers/switches
o Gateways, bridges, wireless access points
o Firewalls
o Intrusion detection/prevention systems
o Network address translators (NAT devices)
o Hybrids of these types (e.g., NAT router)
o Load balancers
o Encryptors/decryptors
o Alarms and physical access control devices
o PKI infrastructure24
o Other nonstandard physical computing devices that connect to the network

• Other input/output devices if they appear with their own address
o Industrial control system
o Printers/plotters/copiers/multi-function devices
o Fax portals
o Scanners/cameras
o Accessible storage devices
o VOIP phones
o Other information security monitoring devices or tools
o Other devices addressable on the network

A violation, or imminent threat of violation, of computer security policies, acceptable use policies, or standard security practices (NIST SP 800-61 Rev2).

A violation, or imminent threat of violation, of computer security policies, acceptable use policies, or standard security practices (NIST SP 800-61 Rev2).

Information system(s)
A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

Information System Contingency Plan (ISCP)
An ISCP provides established procedures for the assessment and recovery of a system following a system disruption. The ISCP provides key information needed for system recovery, including roles and responsibilities, inventory information, assessment procedures, detailed recovery procedures, and testing of a system.

IPv6-Enabled Asset
An asset where the IPv6 protocol is fully supported and is operationally enabled for native use (i.e., not tunneled over or translated to IPv4) for all network functions.

Local system account
A predefined local account used by service control manager that has extensive privileges on a local system.26

Mean time
The sum of time between detections divided by the number of detections.

Mobile device
A portable computer device that: (i) has a small form factor such that it can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g. by wirelessly transmitting or receiving information); (iii) possess local, non-removable or removable data storage; and (iv) includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the devices to capture information and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, tablets, and e-readers.

Information system(s) implemented with a collection of interconnected components. Such components may include routers, hubs, cabling, telecommunications controllers, key distribution centers, and technical control devices. 27

Network Access
Access to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, Internet).

Network Account
A user account that provides access to the network.

Non-user account
An account that is not intended to be controlled directly by a person (or group). The account is either (a) intended to be used by the system or an application, which presents credentials and performs functions under the management of the person (or group) that owns the account, or (b) created to establish a service (like a group mailbox), and no one is expected to log into the account.

Organization Network
The interconnected information systems or components controlled by an organization or trusted to communicate without having traffic inspected by a trusted intermediary (e.g., Trusted Internet Connection (TIC) or Managed Trusted Internet Protocol Services (MTIPS) provider.

Personal Identity Verification (PIV) credentials
A physical artifact (e.g., identity card, “smart” card) issued to an individual that contains stored identity credentials (e.g., photograph, cryptographic keys, digitized fingerprint representation, etc.) such that a claimed identity of the cardholder may be verified against the stored credentials by another person (human-readable and verifiable) or an automated process (computer-readable and verifiable). The Federal standard for this is specified as Federal Information Processing Standard Publication 201 (FIPS 201).

Privileged local system account
A user account with elevated privileges which is typically allocated to system administrators, database administrators, developers, and others who are responsible for system/application control, monitoring, or administration functions. In Linux or other Unix-like operating systems, these are typically referred to as root account, root user, or super-user accounts.

Privileged network account
A network account with elevated privileges, which is typically allocated to system administrators, network administrators, and others who are responsible for system/application control, monitoring, or administration functions.

Public key infrastructure (PKI)
A set of policies, processes, server platforms, software, and workstations used for the purpose of administering certificates and public-private key pairs, including the ability to issue, maintain, and revoke public key certificates.

Remote access
The ability for an organization’s users to access its non-public computing resources from locations external to the organization’s facilities.

Remote access connections
An external connection that allows access to the organization’s internal/private network utilizing one of the remote access connection methods described in Metric 2.10.

Remote desktop protocol (RDP)
A protocol (developed by Microsoft) that allows a user the ability to use a graphical interface over a network connection.

Physically, logically, or virtually separated from the general computational environment by controlled access through a managed interface.

Sender authentication protocols
Protocols to validate the identity of email senders and protect against forgery of those identities,
• DomainKeys Identified Mail (DKIM)
• Domain-based Message Authentication, Reporting & Conformance (DMARC)
• Sender Policy Framework (SPF)

Smart phone
A mobile phone built on a mobile computing platform, with more advanced computing ability and connectivity than a contemporary feature phone.

Successful phishing attack
A network user responds to a fraudulent message producing a negative impact on confidentiality, integrity, and/or availability of the organization’s information.

Unclassified information system(s)
Information system(s) processing, storing or transmitting information that does not require safeguarding or dissemination controls pursuant to E.O. 13556 (Controlled Unclassified Information) and has not been determined to require protection against unauthorized disclosure pursuant to E.O. 13526 (Classified National Security Information), or any predecessor or successor Order, or the Atomic Energy Act of 1954, as amended.

Unclassified network
A collection of interconnected components unclassified information system(s). For FISMA reporting purposes, these components are limited to endpoints, mobile assets, network devices, and input/output assets as defined under hardware assets.

Unprivileged Network Account
An unprivileged network account is any account that is not a privileged network account, also known as a standard account.

Virtual desktop infrastructure (VDI)
A server or collection of servers that allow the ability to host multiple guest desktop operating systems for end-users.

Virtual machine
Software that allows a single host to run one or more guest operating systems.

Virtual private network (VPN)
A connection that allows the Agency to extend their internal/private network to a remote location through an untrusted network (e.g., Internet).

#FISMA #RMF #FedRamp #DoDI500090 #C-SCRM #SCRM #SupplyChainRiskManagement