2017-2018 Policy Library 
    Mar 22, 2018  
2017-2018 Policy Library

Federal Information Security Management Act

Federal Information Security Management Act

Claremont McKenna College adheres to the Federal Information Security Management Act (FISMA), which requires that federal agencies provide information security, including those services provided by contractors or other sources. FISMA assigns responsibilities to the National Institute of Standards & Technology (NIST) to provide standards and guidance to aid agencies in meeting the requirements of the law.

When required by a federal agency, the College will work with the PI/research team to create a FISMA Management Plan that will include:

Component Description
Scope of Work Identification and description of the work (including that to be performed by any subcontractors), internal and external sources of data, systems for daa processing and storage, all hardware and software to be used for the project, personnell involved, facilities, configuration controls, etc.
Implentation of Controls In addition to the controls normally associated with computer use, FISMA requirements include such things as personnel background checks, surveillance cameras, disaster recovery plans, ssytem backups, training, use of dedicated computers, encryption of data lines, workstation restrictions, security monitoring, physical access controls to work areas, etc.
Evaluation of Controls Verification that the appropriate security controls/events are monitored, generated and recorded, verifying data restoration procedures, validating performance of surveillance cameras, access log review, etc.

Depending on the Management Plan -

  • Additional study costs, in some cases significant, especially when an offsite, commercial third-party FISMA-compliant data processing/storage facility is used or extraordinary data process is needed.
  • Additional work load due to added security requirement conformance and monitoring.
  • Possible project start-up delays due to creation and approval of the Management Plan.