Getting compliant can be a complicated process, and while compliance products like UTMStack are a great help, it’s always good to know what you’re signing up for. In this guide, we’ll talk you through everything you need to know about FISMA compliance. From what it is, to who must comply, and the steps you should take. We’ve made it friendly and easy to understand and comprehend, so read on.
What is FISMA?
FISMA is the Federal Information Security Management Act passed as a United States Federal Law in 2002. It makes it a legal requirement for federal agencies to develop, implement, and maintain an information security and protection program.
What is FISMA compliance?
FISMA compliance is a handbook set by FISMA for you to take steps to ensure that data and information are handled and kept securely. The National Institute of Standards and Technology (NIST) developed these standards, namely the FIPS 199, FIPS 200, and NIST 800 series.
Who must comply with FISMA?
Initially, FISMA compliance was meant for federal government agencies, hence the name. However, over time it has also expanded to include state agencies such as Medicare. Furthermore, it requires any company and civilian agencies with a contractual relationship with the government to be FISMA compliant.
Who overseeing agencies’ compliance?
FISMA 2014 (Federal Information Security Modernization Act) codifies the Department of Homeland Security’s role in administering information security policies for Federal Executive Branch civilian agencies, overseeing agencies’ compliance with those policies, and assisting OMB in developing those policies.
What are FISMA compliance requirements?
FISMA requirements and compliance is a huge in-depth topic and requires a lot of research and setup.
- Information Systems Inventory: Every company must maintain an inventory of information systems utilized within the organization. This includes everything from the lonely printer to the central server. Furthermore, the integrations and communications between these systems must be clearly documented. This goes for internal and external communications too.
- Risk Categorization: Organizations must use the FIPS 199 (Standards for Security Categorization of Federal Information and Information Systems) guidelines to create a risk management profile. This means arranging systems according to risk levels. Clearly, some items such as the central server will have a much higher risk level than the printer in the lobby. Understandably, the former will need in-depth attention, while the latter will have minimum security requirements.
- System Security Plan: FISMA requires agencies to create a plan of all the steps taken to meet compliances. This plan and the systems need continuous monitoring, and both of them need to be amended if any situation changes.
- Security Controls: NIST SP 800-53 outlines the security controls that must be implemented for FISMA compliance. Not all of the controls, within the guidelines, are required to be implemented. Instead, the security controls required are determined by the risk assessment.
- Risk Assessments: NIST compliance SP 800-30 offers some guidance on how agencies conduct risk assessments. Risk assessment is the task of identifying risks to the information systems. The risk management framework should be three-tiered: business process, organization, and information system. This circles back to risk categorization.
- Certification and Accreditation: Unsurprisingly, it’s not enough to develop, document, and implement steps with regard to security risks. The government also conducts an annual security review. Therefore, for a federal agency or private business to gain FISMA Certification and Accreditation they need to pass a four-phased
What are the benefits of FISMA compliance?
FISMA compliance has two main benefits, one is for the public, and the other is for government agencies and businesses. Firstly, compliance means that government information and personal information are handled more securely across the United States. This benefits the public as it provides them with a higher level of peace of mind. The other benefit is for federal agencies and organizations. Most importantly, they can keep information security incidents lower, better for customers and company reputation. Secondly, by meeting FISMA compliance requirements, businesses are more likely to land government contracts, which tend to be extremely high value.
Of course, a set of government guidelines on information security systems and security standards wouldn’t be complete without the possibility of penalties and repercussions. Of course, these are layered and are reasonable. As long as you follow the best data protection practices and don’t commit any major issues or have any data breaches, you’ll be fine.
Penalties can range from simple financial to censure by congress or even a reduction in federal funding. Of course, depending on the federal agencies involved and federal information systems involved, it could even include a high dose of reputational damage.
Despite popular belief, FISMA and other information security requirements on data don’t mean that you can’t use a public cloud service. In fact, data security is the main aim, and in many instances, using a trusted cloud provider could be more secure than hosting your own server. Understandably, any cloud service provider used by any company or agency required to be FISMA compliant must be FISMA complaint itself. To help with this the government has set up the Federal Risk and Authorization Management Program FedRAMP. FedRAMP helps ramp up the security assessment, authorization, and monitoring for cloud products using a standardized approach.
Frequently asked questions
Here are some commonly asked questions about FISMA compliance.
What is the difference between FISMA and NIST?
FISMA is the compliance act itself, while NIST develops the rules and guidelines for the act.
How many NIST security controls are there?
The National Institute of Standards and Technology Special Publication (NIST SP) 800-53 contains a wealth of security controls. NIST SP 800-53 R4 contains over 900 unique security controls that encompass 18 control families.
Why is FISMA important?
FISMA is important as it means that sensitive information is kept safe and secure. With more and more of our personal details being digital, this is something to be aware of.
Is AWS Fisma compliant?
Yes. AWS has received Federal Information Security Management Act (FISMA) Moderate Authorization and Accreditation from the U.S. General Services Administration.
FISMA – Why you should care
So there you have it. Everything you need to know about FISMA and the security requirements that come with it. If you haven’t yet, you should ensure that you become a FISMA complaint as quickly as possible. Not only will it help secure your data and information systems, which is beneficial for both you and your customers, it could also help you land some valuable government contracts.
Luckily, FISMA is similar to many other compliances such as SOC, HIPPA, and GDPR. So if you’re compliant in one, you can easily become compliant in the other. If you need help, talk to us, and we’ll get you going on the right track.