Government Information Security Act

From The Secure Arc Wiki

Jump to: navigation, search

Information in italics below is referenced from wikia, reproduced in accordance with the Creative Commons License.

The Government Information Security Reform Act (GISRA) of 2000, established information security program, evaluation, and reporting requirements for federal agencies. GISRA required agencies to perform periodic threat-based risk assessments for systems and data. GISRA requires agencies to develop and implement risk-based, cost-effective policies and procedures to provide security protection for information collected or maintained either by the agency or for it by another agency or contractor. GISRA required that agencies develop a process for ensuring that remedial action is taken to address significant deficiencies. GISRA also required agencies to provide training on security awareness for agency personnel and on security responsibilities for information security personnel.

GISRA required the agency head to ensure that the agency’s information security plan is practiced throughout the life cycle of each agency system. The agency head was responsible for ensuring that the appropriate agency officials, evaluated the effectiveness of the information security program, including testing controls.

In 2002, GISRA was replaced and strengthened with FISMA (Federal Information Security Management Act).

Each requirement of the law relating to Information Security is broken down further into more specific sub-requirements that can be mapped back to both the Security Principles that drive them and the Design Patterns that satisfy them.


GISRA contains the following elements;

  • All federal agencies must assess the security of their non-classified information systems
  • Agencies are to perform Security Assessments and report on the security needs of the systems (Gap Analysis)
  • Security Reports will be included in the agency’s budget for upcoming fiscal year (OMB)
  • Funds can be cut for non-compliance
  • The Act implies that funding will be provided to cover the mitigation of security gaps
  • Agencies have opportunity to get the additional funds as long as they can provide a comprehensive Security Assessment that includes viable, Best Practice mitigating solutions

Self Assessment can be performed with the assistance of the NIST 800-26 as a guide.


Publications on the Government Information Security Act of 2000, are unavailable at present. The more current FISMA standard should be referred to.


Personal tools