Federal Information Security Management Act (FISMA)
What it covers: Enacted in 2002, FISMA requires federal agencies to implement a program to provide security for their information and information systems, including those provided or managed by another agency or contractor. It is Title III of the E-Government Act of 2002.
Who is affected: Federal agencies.
Link to the law: http://csrc.nist.gov/drivers/documents/FISMA-final.pdf
Key requirements/provisions: FISMA recommends that an effective security program include the following elements:
* Periodic risk assessments.
* Policies and procedures based on these assessments that cost-effectively reduce information security risk and ensure security is addressed throughout the life cycle of each information system.
* Subordinate plans for information security for networks, facilities, etc.
* Security awareness training for personnel.
* Periodic testing and evaluation of the effectiveness of information security policies, procedures, practices and controls, at least on an annual basis.
* A process to address deficiencies in information security policies.
* Procedures for detecting, reporting and responding to security incidents.
* Procedures and plans to ensure continuity of operations for information systems that support the organization's operations and assets.
Source: National Institute of Standards and Technology
North American Electric Reliability Corp. (NERC) standards
What it covers: The current set of 83 NERC standards were developed to establish and enforce reliability standards for the bulk-power system of North America, as well as protect the industry's critical infrastructure from physical and cyber threats. These overall standards became mandatory and enforceable in the U.S. on June 18, 2007. Critical Infrastructure Protection (CIP) elements of the reliability standard have been subsequently updated, most recently in 2009. CIP standards include identification and protection of both physical assets and digital ("cyber") systems.
Who is affected: North American electric utilities.
Link to the NERC reliability standards: http://www.nerc.com/files/Reliability_Standards_Complete_Set.pdf
Key requirements/provisions: NERC standards fall into the following 13 categories:
* Resource and Demand Balancing
* Critical Infrastructure Protection
* Emergency Preparedness and Operations