U.S. Government IT Security Laws

The introduction of computers and the Internet in private and government offices opened the doors to a complex and new world of business. This new world was full of windows of opportunities for the ill-intentioned and severally devoid of strong doors with locks. Several laws have been passed to secure those doors of ill-intent while maintaining windows for the public. One such law is the Federal Information Security and Management Act (FISMA) enacted in December 2002 as part of the E-Government Act of 2002. Since its inception there have been several guidelines established to help government entities conform with FISMA. Certification and Accreditation (C&A) is the cornerstone for federal agencies implementing the mandates under FISMA. C&A is not everything, however. Before a government agency or their contractor even begins working towards C&A there are several steps that should be understood and followed, including understanding who is involved, what is required, where to find information and how to use that information. This document will serve as a guide to those new to federal IT law and address the above four issues, outline the guidelines and steps to ensure successful C&A as designed by NIST, and subsequently address lessons learned from trying to comply with FISMA.