Lohrmann on GovSpace
About this Blog:
Musings of a state government CSO.
Is FISMA Compliance for State & Local Governments Too?
Are state & local governments required to comply with the Federal Information Security Management Act (FISMA)? Over the past two years, I’ve heard various opposing views on this question.
First, let me clarify the question. I’m not asking if following NIST and FISMA security directions makes sense and is the “right thing to do” for state & local governments. It is. Many state and local government staff use NIST documents to help address numerous security questions. The Computer Security Resource Center on the NIST website is gold mine for great security information, sample policies, federal guidance, etc. It is the go-to site for many public and private sector organizations. Virtually every state & local colleague I know uses the site to some extent, and if you don’t, you should.
Still FISMA compliance is very hard and takes major resources and commitment. Our federal colleagues know that only too well. My question is more around the terms “guidance” or “mandate.” Should state and local governments view this as “commandments” or the suggestions?
For some background, I recommend reading the September 2005 “Final Audit Report – Increased IRS Oversight of State Agencies Is Needed to Ensure Federal Tax Information Is Protected” from the US Department of Treasury’s Deputy Inspector General for Audit.
If you don’t want to take the time to read that PDF, I’ll tell you that the auditor and the Chief, Mission Assurance and Security Services at Treasury disagree on whether FISMA requirements apply to state agencies receiving Federal tax information. This is just one example, but if you Google this question, you can find several other similar documents online.
Before I post my opinions on this, I’d love to hear reader’s viewpoints, especially federal, state, and local government employees and contractors, on this topic.
Previous Post: Lessons in Changing Culture - Or Not? Part 3: Like Rooting for Duke...Next Post: Do States Need FISMA Compliance? It depends. (Part 2 of 2)
WEBCAST
Transition Confidently to the Cloud
Thanks to cloud computing, your business data is everywhere and being accessed by everyone. Making the wrong decision to protect your data can result in high costs, increased risk and executive exposure. View this live webinar on cloud security and the evolving data center, and learn why a data-centric approach to security is the best bet for today's virtual environment.
WHITE PAPER
Magic Quadrant for Enterprise Information Archiving
Gartner evaluates vendors offering products and services that provide archiving for email, files and other content types.
Recent Comments
Webcasts
- Enterprise File Sharing: All You Need to Know
- Forrester Research and EMC on Continuous Availability
- Big Ideas; Big Tech-Continuous Availability for VMware
- Security Analytics Video
- Reduce Costs, Maximize Performance and Ensure High Availability of your Business Critical Applications
- B2B Integration on Cloud: Real World Solutions and Technology Advances
White Papers
