Protecting U.S. Federal Data
The national and economic security of the United States depends on reliable functioning of information technology systems that are proactively protected, continuously monitored, and resistant from attacks.
The Federal Information Security Management Act (FISMA) is a law enacted in 2002 which mandates a process to strengthen the security posture of government’s information systems. More recently the Federal Risk and Authorization Program (FedRAMP), designed specifically for cloud systems, was made mandatory in June 2014. Together they serve to meet the high-performance, complex, and evolving security needs of the Federal government.
When properly implemented these security compliance frameworks provide a strong cyber-security posture to protect federal assets. They contain security requirements that incorporate industry best practices and strong cyber-security baseline requirements. They force the development of procedures, policies and plans that enhance the security and resilience of the Nation.
Unfortunately, due to a host of reasons; including lack of funding, resources, and executive support, FISMA and FedRAMP are not implemented as often as they should be. The Council of the Inspectors General issued a report in September 2014 on the Integrity and Efficiency’s Cloud Computing Initiative. The report contained results on a Government-wide initiative to evaluate participating agencies efforts when adopting cloud computing technologies and associated security measures. It showed that many Federal agencies did not meet the requirement to become compliant with FedRAMP and therefore have gaps in security defenses.
Therefore it is highly recommended that government Contracting Officers and Contracting Officer's Technical Representatives become familiar with the FISMA and FedRAMP initiatives and incorporate these security compliance frameworks into the systems they are purchasing from industry. Once industry receives, understands, and accepts the need for additional cyber-security they can deliver resilient systems that robustly protect national assets.
Director, Acquisition Workforce Staffing Division, DHS PARM
9yGood post Abel. While my experience in military and current fed gov is long strong coupled with cac or piv I think the time is coming for multi factor to include a biometric .
COO @realtime | bioLock MFA4SAP Security to Enforce Zero Trust Since 2002
9yAbel - great post! If you enter the country the check your passport and uniquely ID you. Same at a military base. If you enter the government IT system they check "NOTHING" (just a simple password that everybody shares). It is time to check ID when somebody access the government system and EVERY TIME they do anything important in the system!