FISMA

Ready to Get Started?

Our team of professionals is ready to dive in and collaborate with your team

A suite of FISMA advisory services tailored to get your organization through a successful initial and continued authorization, delivered by a team of experienced professionals.

The Federal Information Security Management Act (FISMA) is a United States federal law that made it a requirement for federal agencies, departments, and their supporting entities (vendors and contractors), to develop, document, and implement an information security and protection program.

FISMA is one of the most important regulations for federal data security standards and guidelines. It was introduced to reduce the security risk to federal information and data while managing federal spending on information security. To achieve these aims, FISMA established a set of guidelines and security standards that federal agencies have to meet. The scope of FISMA has since increased to include state agencies administering federal programs like Medicare.

FISMA requirements also apply to any private businesses that are involved in a contractual relationship with the government.

The National Institute of Standards and Technology (NIST) plays an important role in the FISMA Implementation Project launched in January 2003, which produced the key security standards and guidelines required by FISMA. These publications include FIPS 199, FIPS 200, and the NIST 800 series, specifically NIST SP 800-53.

The top FISMA requirements include:

  • Information System Inventory: every organization working with the government must keep an inventory of all the information systems utilized within the organization, specifically the ones that store, process, or transmit governmental data (CUI). In addition, the organization must identify the integrations between these information systems and other systems within their network.
  • Risk Categorization: Organizations must categorize their information and information systems in order of risk to ensure that sensitive information and the systems that use it are given the highest level of security. FIPS 199 “Standards for Security Categorization of Federal Information and Information Systems” defines a range of risk levels within which organizations can place their various information systems.
  • System Security Plan: FISMA requires organizations to create a system security plan which is regularly maintained and kept up to date. The plan should cover things like the security controls implemented within the organization, security policies, and a timetable for the introduction of further controls.
  • Security Controls: NIST SP 800-53 outlines an extensive catalog of suggested security controls for FISMA compliance. FISMA does not require an organization to implement every single control; instead, they are instructed to implement the controls that are relevant to their organization and systems. Once the appropriate controls are selected and the security requirements have been satisfied, the organizations must document the selected controls in their system security plan.
  • Risk Assessments: Risk assessments are a key element of FISMA’s information security requirements. NIST SP 800-30 offers some guidance on how agencies should conduct risk assessments. According to the NIST guidelines, risk assessments should be three-tiered to identify security risks at the organizational level, the business process level, and the information system level.

FISMA compliance has increased the security of sensitive federal information. Continuous monitoring for FISMA compliance provides agencies with the information they need to maintain a high level of security and eliminate vulnerabilities in a timely and cost-effective manner. Companies operating in the private sector – particularly those who do business with federal agencies – can benefit by maintaining FISMA compliance. This can give private companies an advantage when trying to add new business from federal agencies, and by meeting FISMA compliance requirements companies can ensure that they’re covering many of the security best practices outlined in FISMA’s requirements.

For those government agencies or associated private companies that fail to comply with FISMA there are a range of potential penalties including censure by congress, a reduction in federal funding, and reputational damage.

What we offer

RISCPoint’s team of security and compliance consultants can assist your organization from the onset of your FISMA lifecycle process, through obtaining your authorization, to maintaining and delivering your continuous monitoring requirements every year.

Our tailored FISMA advisory services include the following:

  • FISMA workshops and authorization roadmap development
    • Overview of the FISMA authorization process
    • CUI and Boundary review and scoping
    • ROI identification and justification
    • Assistance with discussions with potential or current agency AOs
    • Tailored educational sessions for key stakeholders and executives
    • Development of detailed roadmap for authorization
    • Security and controls program development
    • Alignment to existing controls frameworks
  • Gap assessments
    • Overview of the FISMA authorization process and timeline
    • Review of boundary and data flow documentation
    • Identification of gaps in the current NIST 800-53 control implementations
    • Development of risk-ranked recommendations and future state roadmap
  • FISMA Documentation and remediation support
    • Security Policy and Documentation development
      • System Security Plan
      • Incident Response Plan
      • Contingency Plan
      • Configuration Management Plan
      • Privacy Impact Assessment
      • FIPS 199 categorization
      • All supporting policies and procedures
    • Remediation of identified gaps and deficiencies
  • Assessment/audit coordination and support
  • Continuous monitoring development and execution
  • Vulnerability Scanning and Penetration Testing

What is the RISCPoint difference?

  • We employ a team of industry experts who have assisted a number of cloud providers achieve authorization.
  • Our FISMA advisors have worked with and at some of the largest 3PAOs and bring the knowledge of what auditors, authorizing officials, and the FedRAMP PMO look for during the authorization process.
  • Our wide partner network includes security software vendors, hosting providers, as well as security engineers – we will be your one-stop-shop for all your authorization needs.
  • We offer a wide range of security and compliance services and specialize in the development of enterprise-wise controls environments which will allow you to meet multiple standards and frameworks (SOC 1, SOC2, HITRUST, HIPAA, ISO 27001, and others) and minimize the time spent on audit and compliance works so you can focus on your day-to-day operations.

Start the Conversation

Work with our team of professionals to help find a tailored solution for your company

Contact Us