Tomaskovics Consulting works with organizations to implement and comply with The Federal Information Security Management Act of 2002 (FISMA)
FISMA defines a set of security steps that must be followed, and the processes involved must follow a combination of Federal Information Processing standards (FIPS) documents including the special publications SP-800 series issued by NIST:
The first step defines the IT systems, but there is not always a direct mapping of computers to IT systems. NIST SP 800-18 provides guidance on determining system boundaries.
The next step determines the types of IT systems and the impact of a compromise of confidentiality, integrity, or availability to each IT system. NIST SP 800-60 provides a catalog of information types, and FIPS-199 provides a rating methodology and a definition of criteria.
The next step a security plan is formulated and documented with all relevant IT system information. An important part of the IT system documentation is a detailed hardware and software inventory including hardware make and model numbers, software version numbers, patch levels, and a functional description of the component.
NIST SP 800-18 gives guidance on such documentation standards. A contingency plan for the system also needs to be documented, and guidance on contingency planning can be found in NIST SP 800-34
Next a risk assessment should be completed including risk identification, risk quantification, and risk mitigation/control. NIST SP 800-30 provides guidance on the risk assessment process. Federal agencies must meet the minimum security requirements defined in FIPS 200 through the use of the security controls in NIST Special Publication 800-53.
Next each IT system needs to have its controls assessed and certified to be functioning appropriately. For systems in the FIPS-199 "Low" category, a self assessment is sufficient for certification. For systems categorized at higher FIPS-199 levels, a certification performed by an independent party like Tomaskovics Consulting 1-800-219-6770 is required. NIST SP 800-53A provides guidance on the assessment methods applicable to individual controls. Once a system has been certified, it must be officially accredited an "authorization to operate" (ATO). This authorization is usually for a three-year period (and may be contingent on additional controls being implemented). NIST SP 800-37 provides guidance on the certification and accreditation of systems. Accredited systems are then monitored, and guidance on continuous monitoring can be found in NIST SP 800-37 and SP 800-53A.