Page 267 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 267
the operations and assets of the organization) of the information
security risks associated with their activities and their
responsibilities in complying with organizational policies and
procedures designed to reduce these risks
Periodic testing and evaluation of the effectiveness of information
security policies, procedures, practices, and security controls to be
performed with a frequency depending on risk, but no less than
annually
A process for planning, implementing, evaluating, and
documenting remedial actions to address any deficiencies in the
information security policies, procedures, and practices of the
organization
Procedures for detecting, reporting, and responding to security
incidents
Plans and procedures to ensure continuity of operations for
information systems that support the operations and assets of the
organization
FISMA places a significant burden on federal agencies and
government contractors, who must develop and maintain substantial
documentation of their FISMA compliance activities.
Federal Cybersecurity Laws of 2014
In 2014, President Barack Obama signed a series of bills into law that
modernized the federal government’s approach to cybersecurity
issues.
The first of these was the confusingly named Federal Information
Systems Modernization Act (also bearing the acronym FISMA). The
2014 FISMA modified the rules of the 2002 FISMA by centralizing
federal cybersecurity responsibility with the Department of Homeland
Security. There are two exceptions to this centralization: defense-
related cybersecurity issues remain the responsibility of the Secretary
of Defense, while the Director of National Intelligence bears
responsibility for intelligence-related issues.
Second, Congress passed the Cybersecurity Enhancement Act, which
