The introduction of computers and the Internet in private and government offices opened the doors to a complex and new world of business. This new world was full of windows of opportunities for the ill-intentioned and severally devoid of strong doors with locks. Several laws have been passed to secure those doors of ill-intent while maintaining windows for the public. One such law is the Federal Information Security and Management Act (FISMA). Enacted in December 2002 as part of the E-Government Act of 2002, government entities and subsequently their contractors have been hurried to comply with the law. Since its inception there have been several guidelines established to help government entities conform with FISMA.
Certification and Accreditation (C&A) is the cornerstone for federal agencies implementing the mandates under the Federal Information Security and Management Act (FISMA). C&A is not everything, however. Before a government agency or their contractor even begins working towards C&A there are several steps that should be understood and followed, including understanding who is involved, what is required, where to find information and how to use that information. Because the law is new and went into effect so quickly there is much misunderstanding and confusion both at the federal agency level and the government contractor level. This document will serve as a guide to those new to federal IT law and address the above four issues, outline the guidelines and steps to ensure successful C&A as designed by NIST, and subsequently address lessons learned from trying to comply with FISMA.
Assumption: All references to “federal”, “government”, and “agency(ies)” refer to the “United States of America.”
© SANS Institute 2004, Author retains full rights.
© SANS Institute 2004,
As part of the Information Security Reading Room
Page 1 Author retains full rights.