Which of the following requires all general support systems and major applications to be fully certified and accredited before these systems and applications are put into production? Each correct answer represents a part of the solution.
Choose all that apply.
Click on the arrows to vote for the correct answer
A. B. C. D.CD.
The correct answers are C. Office of Management and Budget (OMB) and D. FISMA.
The Federal Information Security Management Act (FISMA) is a US federal law enacted in 2002 that requires all federal agencies to develop, document, and implement an information security program to protect the information and information systems that support their operations and assets.
FISMA requires that all general support systems and major applications be fully certified and accredited (C&A) before they are put into production. C&A is the process of evaluating and documenting the security posture of an information system to ensure that it meets the specified security requirements. The C&A process includes risk assessment, security testing and evaluation, and system authorization.
The Office of Management and Budget (OMB) is an agency of the US federal government that is responsible for overseeing the implementation of policies and guidelines for federal agencies. OMB Circular A-130 provides guidelines for the management of federal information resources, including the security of information systems. OMB is responsible for ensuring that federal agencies comply with FISMA and that they have implemented effective information security programs.
NIST (National Institute of Standards and Technology) is a non-regulatory agency of the US Department of Commerce that develops standards, guidelines, and best practices for various fields, including information security. NIST provides guidance and standards for implementing FISMA and the C&A process.
FIPS (Federal Information Processing Standards) are standards that have been developed by NIST for use in federal government computer systems. FIPS includes standards for encryption algorithms, key management, and other security-related technologies.
While NIST and FIPS provide guidance and standards for implementing FISMA and the C&A process, they do not require that all general support systems and major applications be fully certified and accredited before they are put into production. That requirement is set by FISMA and enforced by the Office of Management and Budget (OMB).