Tue, 2006-12-05 11:48
Are state & local governments required to comply with the Federal Information Security Management Act (FISMA)? Over the past two years, I’ve heard various opposing views on this question.
First, let me clarify the question. I’m not asking if following NIST and FISMA security directions makes sense and is the “right thing to do” for state & local governments. It is. Many state and local government staff use NIST documents to help address numerous security questions.
The Computer Security Resource Center on the NIST website is gold mine for great security information, sample policies, federal guidance, etc. It is the go-to site for many public and private sector organizations. Virtually every state & local colleague I know uses the site to some extent, and if you don’t, you should.
Still FISMA compliance is very hard and takes major resources and commitment. Our federal colleagues know that only too well. My question is more around the terms “guidance” or “mandate.” Should state and local governments view this as “commandments” or the suggestions?
If you don’t want to take the time to read that PDF, I’ll tell you that the auditor and the Chief, Mission Assurance and Security Services at Treasury disagree on whether FISMA requirements apply to state agencies receiving Federal tax information. This is just one example, but if you Google this question, you can find several other similar documents online.
Before I post my opinions on this, I’d love to hear reader’s viewpoints, especially federal, state, and local government employees and contractors, on this topic.
As a government contractor, we were looking for FISMA certification standards for government contractors because of the FISMA certification requirement in RFPs. We contacted a NIST employee who said that agencies should put specific requirements in RFPs instead of just requiring a vague notion of FISMA compliance and added that FISMA is for Federal agencies not contractors. He said the forms I was looking for did not exist: not even the agencies had forms. What is your take on this?