Automating Compliance With Federal Information Case Study

Excerpt from Case Study :

The Act also demanded that agency heads to ensure that the process of implementation of information security plan in the various life cycles of each and every federal system.

The significant differences between FISMA and GISRA are the fact that its provisions are stronger and more permanent. It also includes the minimum mandatory standards for information security (OIG, 2003).

The suitability of the eight FISMA requirements model for business information security programs

The suitability of FISMA requirements model and compliance is the fact that it helps in the identification of people, processes and systems that the agencies need in order to achieve the various business objectives as well as coming up with appropriate protective mechanisms. The next incentive is tied to the fact that compliance to the requirements leads to the bolstering of an agency's reputation both within the House Government Reform as well as the improvement of citizen's perception of the agency (Cisco,2007).

The reason why federal agencies receive low grades on the Federal Computer Security Report Card. This is as a result of the weaknesses in their information systems and information security programs are many. The 24 main federal agencies have been noted to have various forms of control weaknesses in their Information Technology systems. These weaknesses threaten the integrity, confidentiality and availability of the various services provided through the federal information systems (GAO, 2005a).These weaknesses have been noted to result to considerable security risks to various forms of information in the hands of unauthorized persons. This can also result in the disclosure of highly sensitive information which can result in the disruptions of various critical operations. The main areas of weaknesses are outlined in the audit methodology that is used in the evaluation of information security systems (GAO, 2005b). Most affected areas are; access control, software change controls, duties segregation, plans of continuity of operations.

The differences, in terms of legal regulations and guidance for compliance, between the Federal government and industry in managing the security of information and information


The process of ensuring that the various security of Information amd information system are properly managed is a role that must be an accomplished via a collaboration between the federal government and the various industry stakeholders. There is however certain differences in terms of the regulations and guidance that must be sort to bring about the desired level of information assurance. The confidentiality, integrity and availability of all the critical data must be assured at all times.

The differences are as follows;

The federal government Information and Information system requirements are mandatory for all agencies and is implemented as prescribed by the constitution of the United States. This means that failure to comply with these requirements is considered a crime and is punishable by law. The federal government requires that these regulations be implemented according to the guidelines contained in the E-Government Act of 2002 (Public law 107-347).The industry standards on the other hand are regulated by the policies set aside that are unique to the individual industries.

A comparison of the classes and families of the minimum security control requirements, shown in Table5-5, to the classes and control objectives of ASSERT's assessment questions, shown in Table 5-6 and an explanation of the discrepancies.

The and families of the minimum security control requirements, shown in Table5-5 are not as detailed as the ones in the Table5-6, to the classes and control objectives of ASSERT's assessment questions. This is since the Table5-5 are general guidelines while the ones in Table5-6 are specific and to the point. This is since the ASSERT standards target matters of national security and hence critical attention must be focused on its requirements.

How ASSERT's questions could be used by a business to better control its IT systems and to mitigate its security risks.

The ASSERT questions can be used by a business to carry out a step-by-step analysis and evaluation of all the potential security loopholes in order to initiate the appropriate mitigation procedures as prescribed by the same ASSERT guidelines.


E-Governent Act. (2002). Management and promotion of electronic Government Services

Best, R. (2007). Open Source Intelligence (OSINT): Issues for Congress

Cisco (2007). FISMA Compliance: Mapping National Institute of Standards and Technology

(NIST) Controls to Cisco Security Solutions

CSR (2004). Critical Infrastructure and Key Assets: Definition and Identification

CSS.(2008).Open Source Intelligence: A strategic enabler of national security-

CSS Analyses in Security Policy

Government Accountability Office (2005a).Weaknesses Persist at Federal Agencies Despite

Progress Made in Implementing Related Statutory Requirements

Government Accountability Office (2005b).Information Security: Emerging Cybersecurity Issues

Threaten FederalInformation Systems. GAO-05-231. Washington, D.C.: May 13, 2005.

Ibid, p. 65.

Intelligence Community (2006). Directive Number 301 and P.L. 109-163, Sec. 931.

Kahler and DeBlois (2003). EDUCAUSE, NIH, and Identrus Demonstrate PKI Interoperability

Between the Federal Government and Higher Education

Lowenthal, M (2003) Intelligence, From Secrets to Policy, Second Edition, CQ Press

(Washington, D.C.) p. 79.

Office of the Inspector General (2003).Multi-components audits, reviews and investigations

Sands, A (2005). "Integrating Open Sources into Transnational Threat Assessments," in Jennifer E. Sims and Burton Gerber, Transforming U.S. Intelligence (Washington:

Georgetown University Press), p. 65.

Vaughan, R. And Pollard, R (1984). Rebuilding America, Vol. I, Planning and Managing Public

Works in the 1980s. Council of State Planning Agencies. Washington, DC. 1984. pp 1-2.

Cite This Case Study:

"Automating Compliance With Federal Information" (2010, August 18) Retrieved February 21, 2018, from

"Automating Compliance With Federal Information" 18 August 2010. Web.21 February. 2018. <>

"Automating Compliance With Federal Information", 18 August 2010, Accessed.21 February. 2018,