Major Application (MA), which will be discussed further in “Lessons Learned and Contractor Responsibilities” section of this document.
The Government Information Security Reform Act (GISRA)9, signed into law as part of the National Defense Authorization Act of 2000, addressed the issues of program management and required further assessment and reporting of information security. This law was not permanent, however, and was scheduled to sunset in November 2001. FISMA was introduced, as part of the E- Government Act, making the provisions under GISRA permanent. The goal of FISMA, in short, is to “require each federal agency to develop, document, and implement an agency-wide information security program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.” 10
Which Laws Apply to Federal Contractors?
Perhaps one of the most difficult aspects of IT security and C&A is understanding which federal laws must be complied with and by whom and this is without considering local and state legislation. It could be assumed that CIOs, Security Officers and others under their direction at the federal agencies would know which laws apply and how they apply to their programs and subsequently their contractors. That is not always the case, however. The fact is there are so many Acts, presidential Executive Orders and official guidelines that it really is not so simple. Perhaps the best reference are the Acts and Executive Orders themselves because most have sections dedicated to listing the applicable and associated laws that are either superceded or act as references. That assumes though, that one already knows which laws apply and know where to find the original text and not just a summary.
The situation for federal contractors becomes a little more confusing. There are many security and IT laws in existence that appear to only address federal agencies. When the laws are read in detail, however, there is often the phrase, to use FISMA as an example: “including those provided or managed by another agency, a contractor or other source”11 or something similar imbedded. This phrase requires federal government contractors to adhere to the same mandates as the agency for which they are working. Again, this is not a simple matter and will be discussed further in the “Lessons Learned and Contractor Responsibilities” section of this document.
© SANS Institute 2004, Author retains full rights.
In trying to determine which laws are applicable, the obvious first choice is to ask the manager, director or security officer at the agency; they should know. New information and directives are not always passed down the chain in a timely
9 10 National Defense Authorization Act – http://www.cio.gov/Documents/gisra_link_to_pdf_file.html NIST SP 800-37 – 2nd Public Draft, pg. 1 – http://csrc.nist.gov/publications/drafts/sp800-37- Draftver2.pdf Federal Information Security Management Act (FISMA) – 3544(b) 11
© SANS Institute 2004,
As part of the Information Security Reading Room
3 Author retains full rights.