An Introduction to FISMA

Few pieces of legislation have become as important and relevant for federal data security standards and guidelines as the Federal Information Security Management Act, more commonly referred to as FISMA.

If you’re a contractor with the federal government, you’re no doubt aware that you need to comply with the regulation, but may be wondering exactly what its provisions entail, and what they mean for your organization.

Here’s everything you need to know about FISMA.

What is FISMA?

Enacted as part of the Electronic Government Act of 2002, FISMA is a federal law requiring federal agencies, departments, and their supporting entities (vendors and contractors), to develop, document, and implement an information security and protection program. It was amended with the Federal Information Security Modernization Act of 2014, which increased the focus on continuous monitoring and reporting on the causes of security incidents.

What does FISMA outline?

The purpose of the Electronic Government Act was to reduce the security risk to federal data and information while managing federal spending for information security. National Institute of Standards and Technology (NIST), an agency of the U.S Department of Commerce, has historically played an important role in the FISMA Implementation Project, which is now part of the NIST’s Risk Management Project. These Projects established the key security standards and guidelines required by FISMA, which include FIPS 199, FIPS 200, and the NIST 800 series, specifically NIST SP 800-53.

Top FISMA requirements include:

• Risk Categorization: Organizations must categorize their information and information systems in order of risk to ensure that sensitive information and the systems that use it are given the highest level of security. FIPS 199 “Standards for Security Categorization of Federal Information and Information Systems” defines a range of risk levels within which organizations can place their various information systems.
• System Security Plan: FISMA requires organizations to create a system security plan which is regularly maintained and kept up to date. The plan should cover things like the security controls implemented within the organization, security policies, and a timetable for the introduction of further controls.
• Information System Inventory: every organization working with the government must keep an inventory of all the information systems utilized within the organization, specifically the ones that store, process, or transmit governmental data (CUI). In addition, the organization must identify the integrations between these information systems and other systems within its network.
• Security Controls: NIST SP 800-53 outlines an extensive catalog of suggested security controls for FISMA compliance. FISMA does not require an organization to implement every single control; instead, they are instructed to implement the controls that are relevant to their baseline as determined by the FIPS 199 System Categorization. Once the appropriate controls are selected and the security requirements have been satisfied, the organizations must document the selected controls in their system security plan.
• Risk Assessments: Risk assessments are a key element of FISMA’s information security requirements. NIST SP 800-30 offers some guidance on how agencies should conduct risk assessments. According to the NIST guidelines, risk assessments should be three-tiered to identify security risks at the organizational level, the business process level, and the information system level.
• Accreditation: As defined in NIST SP 800-37, organizations must certify that all security controls are properly functioning. Once this certification is complete, the organization will be accredited.
• Continuous monitoring: organizations must conduct continuous monitoring and assessment of controls.
  

Do I need to comply with FISMA?

FISMA’s scope has expanded to include state agencies administering federal programs, such as Medicare, in addition to private businesses that hold contracts with the federal government. If your organization falls under either of these categories, you’re obligated to comply with FISMA’s requirements.

That being said, there are benefits associated with FISMA compliance – most notably the increased security of sensitive federal information provided by continuous monitoring for FISMA compliance. This provides agencies with the information needed to maintain a high level of security and eliminate vulnerabilities in a timely, cost-effective manner, which can be a key advantage when attempting to procure new contracts with the federal government.

What happens if I don’t comply with FISMA regulations?

Should a government agency or associated private company fail to comply with FISMA, there is a range of potential penalties, including censure by Congress, a reduction in federal funding, and, as with any compliance failure, reputational damage.

How do I ensure my organization’s controls are in line with FISMA standards – or get my program started?

If your organization doesn’t have a Chief Information Security Officer on staff, recruiting a virtual CISO (vCISO), like RISCPoint, is a surefire way to ensure that all of your security and compliance needs are met, FISMA and otherwise. We’re not an outsource, we’re a full-service resource.

Interested in learning more about how we can help your business become FISMA compliant? You can learn more about what we offer our FISMA clients here, or get in touch with a member of our team below.