Are state & local governments required to comply with the Federal Information Security Management Act (FISMA)? Over the past two years, I’ve heard various opposing views on this question.
First, let me clarify the question. I’m not asking if following NIST and FISMA security directions makes sense and is the “right thing to do” for state & local governments. It is. Many state and local government staff use NIST documents to help address numerous security questions. The Computer Security Resource Center on the NIST website is gold mine for great security information, sample policies, federal guidance, etc. It is the go-to site for many public and private sector organizations. Virtually every state & local colleague I know uses the site to some extent, and if you don’t, you should.
Still FISMA compliance is very hard and takes major resources and commitment. Our federal colleagues know that only too well. My question is more around the terms “guidance” or “mandate.” Should state and local governments view this as “commandments” or the suggestions?
For some background, I recommend reading the September 2005 “Final Audit Report – Increased IRS Oversight of State Agencies Is Needed to Ensure Federal Tax Information Is Protected” from the US Department of Treasury’s Deputy Inspector General for Audit.
If you don’t want to take the time to read that PDF, I’ll tell you that the auditor and the Chief, Mission Assurance and Security Services at Treasury disagree on whether FISMA requirements apply to state agencies receiving Federal tax information. This is just one example, but if you Google this question, you can find several other similar documents online.
Before I post my opinions on this, I’d love to hear reader’s viewpoints, especially federal, state, and local government employees and contractors, on this topic.