FISMA Role and Responsibilities

The assignment of roles and responsibilities for information security within the federal government was clarified or reiterated within FISMA to cover policy, procurement, standards, and incident response. Although FISMA was the last major legislative framework, over the years the foundation has been built upon by a series of Executive Orders, directives, policies, regulations, standards and guidelines. Within FISMA, several specific roles were identified: 

• Director of the Office of Management and Budget (OMB).

• National Institute of Standards and Technology (NIST).

• Federal Agencies:

• Head of Agency or equivalent.

• Chief Information Officer (CIO).

• Senior Agency Information Security Officer (SAISO).

• Secretary of Defense (SecDef).

• Director of the Central Intelligence Agency (CIA). 

Introduction to FISMA

The Federal Information Security Management Act (FISMA) was signed into law on December 17, 2002 as part of the E-Government Act of 2002 (Public Law 107-347). FISMA permanently reauthorized the framework laid out in the Government Information Security Reform Act (GISRA) of 2000, which expired in November 2002. FISMA is divided into multiple sections, each of which will be briefly described in this section.  

Purpose

FISMA was built upon several existing federal laws designed to ensure the security of federal information and information systems. These federal laws include the Computer Security Act of 1987 (Public Law 100-35), Paperwork Reduction Act of 1995 (Public Law 104-13), and Information Technology Management Reform Act of 1996 (i.e., Clinger-Cohen Act, Public Law 104-106, Division E). The purpose of FISMA, as outlined in Section 3541, is covered in six major objectives

1. Establishment of a framework for ensuring the effectiveness of security controls; 

2. Development of mechanisms for effective government-wide management and oversight of security-related risks; 

3. Development and maintenance of a minimum set of required security controls; 

4. Improvement of oversight of information security programs; 

5. Utilization of commercially developed information security products for protecting critical information infrastructures; and 

6. Selection of commercially developed information security solutions should be left to individual federal agencies. 

CRM Integration Capability/API/Web services

Making an analogy, a dialer is a machine gun of calls, and the CRM database is the ammo depot. Therefore it is important to make sure that the correct agent is calling the list of names or leads that are most appropriate to his or her skills or location as fast as possible. This is the reason why one of the fundamental questions to ask when specifying a dialer solution is if the organization requires the integration of the dialer solution with an existing or future CRM.

It is important to know if the dialer system comes with a list or lead-management database (or integration with an existing one is required) and offers an API or Web services capability to easily move data in and out as required.  

Therefore, when writing the RFP, it is crucial to make sure that all requirements linked with the integration with the support application are very well defined. In addition to clearly stating your needs, you must ask the potential vendors about their experience integrating their products with other clients and ask for references (and, of course, check those references).