FISMA 2002 and FISMA 2014

 

The Federal Information Security Management Act (FISMA) is a United States law that establishes a framework for securing information and information systems owned or operated by federal agencies. The law was originally enacted in 2002 and was amended in 2014. Here are some of the key differences between FISMA 2002 and FISMA 2014:

1. Scope: FISMA 2002 primarily focused on securing information and information systems within federal agencies. FISMA 2014 expands the scope to include contractors and other non-federal entities that process or store federal information.
2. Continuous Monitoring: FISMA 2014 requires continuous monitoring of information systems and cybersecurity risks. This means that agencies must regularly monitor their systems to identify and address potential security vulnerabilities.
3. Risk Management: FISMA 2014 emphasizes risk management as a key component of information security. Agencies must conduct ongoing risk assessments and implement risk-based security controls.
4. Security Controls: FISMA 2014 places greater emphasis on using security controls that are appropriate for the specific risk level of an information system. Agencies must select and implement controls based on risk assessments and ongoing monitoring.
5. Reporting Requirements: FISMA 2014 streamlines reporting requirements for agencies, with a focus on providing more actionable information to stakeholders. Agencies must report on their security posture, vulnerabilities, and mitigation efforts in a standardized format.

Overall, FISMA 2014 represents a significant update to the original law, with a greater emphasis on risk management, continuous monitoring, and the use of appropriate security controls.