Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
FISMA Reforms Key Changes
1. InfoSec Learning Center
1
Key Points of FISMA Reforms of 2013
April 5, 2013
Company Sensitive
This document is the property of Trusted Integration, Inc.
It should not be duplicated or distributed to any third-party entity
2. Background
2
Known as H.R. 1163 – Federal Information Security Amendments Act of 2013.
Approved by House of Representatives on March 20, 2013.
May alter the current FISMA landscape and how agencies and corporations are
moving toward address the changing cyber climate.
Historically, FISMA has relied on a paper-based approach to governance.
CISOs have contented that the current FISMA law limits their ability to
enhance the security posture for their organization.
Company Sensitive
This document is the property of Trusted Integration, Inc.
It should not be duplicated or distributed to any third-party entity
3. Key Changes
3
Extend the responsibility for cybersecurity to the head of the agency.
Each agency is required to designate a Chief Information Security Officer or
(CISO).
CISOs must possess the qualifications to conduct and implement the security
program outlined.
The CISO is responsible for the implementation of agency-wide security
program.
Allow the use of automated technologies to support cyber threat assessments
OMB will oversee a Federal government incident response center where
incidents can be maintained, and assist other agencies with their cyber-
incidents, with guidance from key organizations including NIST.
Company Sensitive
This document is the property of Trusted Integration, Inc.
It should not be duplicated or distributed to any third-party entity
4. Responsibilities of CISO
4
Overseeing the establishment and maintenance of a security operation that through
automated and continuous monitoring can detect, contain and mitigate incidents that
impair information security and agency information systems;
Developing, maintaining and overseeing an agency-wide information security program;
Developing, maintaining and overseeing information security policies, procedures and
control techniques to address all applicable requirements;
Training and overseeing personnel with significant responsibilities for information
security;
Assisting senior agency officials on cybersecurity matters;
Ensuring the agency has a sufficient number of trained and security-cleared personnel to
assist in complying with federal cybersecurity law and procedures;
Reporting at least annually to agency executives the effectiveness of the agency
information security program; information derived from automated and continuous
monitoring, including threat assessments; and progress on actions to remediate threats.
Source: “CISOs: FISMA Reforms Establishes CISO Responsibilities”, Process Unity Press Release,
March 21, 2013
Company Sensitive
This document is the property of Trusted Integration, Inc.
It should not be duplicated or distributed to any third-party entity
5. OMB Federal Incident Security Center
5
Provide guidance and assistance to other agencies on detecting and handling of security
incidents.
Compile information on security incidents (and presumably to define metrics and to
share best practices with other agencies)
Inform other agencies about the current and potential threat landscape.
Work with NIST and any other agencies.
Operators of national security systems must also report incidents into the same Center.
Director of the Center is responsible for defining and implementing policies and
procedures consistent with HR 1163.
Company Sensitive
This document is the property of Trusted Integration, Inc.
It should not be duplicated or distributed to any third-party entity
6. About TrustedAgent GRC
6
TrustedAgent Governance, Risk and Compliance (GRC) provides organizations with a
central technology platform to manage the organization’s security assessment,
authorization, and continuous monitoring for risk and compliance management across the
enterprise using several standards including FedRAMP, ISO 27001, HIPAA/HITECH, PCI
DSS, COBIT, NERC, and FISMA.
TrustedAgent GRC collects and aggregates results from other ancillary tools such as asset
management, configuration management, vulnerability management, and other information
security tools and processes for analysis and understanding of the enterprise risk profile,
conducting compliance and remediation, and management reporting.
TrustedAgent GRC provides a structured, consistent, and time-saving approach to
implement compliance deliverables, accelerates the process of securing authorization, and
maintains ongoing support for security assessment and continuous monitoring to meet the
challenges of governance for commercial enterprises and government agencies.
Company Sensitive
This document is the property of Trusted Integration, Inc.
It should not be duplicated or distributed to any third-party entity
7. Governance and Security Standards
7
Company Sensitive
This document is the property of Trusted Integration, Inc.
It should not be duplicated or distributed to any third-party entity
8. About Trusted Integration
8
Since 2001, Trusted Integration has been a leader in providing Governance, Risk and
Compliance management solutions for government and commercial organizations
specializing superior-quality, cost-saving Information risk management solutions in the
Federal Government Compliance (FISMA, DIACAP, and FedRAMP). In addition, Trusted
Integration also provides compliance solutions supporting payment card industry data
security standards (PCI-DSS), health care HIPAA/HITECH, and information technology
governance including COBIT and ISO 27001.
For more information, visit us at www.trustedintegration.com.
Trusted Integration, Inc.
525 Wythe Street
Alexandria, VA 22314
(703) 299-9171
solutions@trustedintegration.com
Company Sensitive
This document is the property of Trusted Integration, Inc.
It should not be duplicated or distributed to any third-party entity