Skip to content
CYBERSECURITY BLOGGER

CYBERSECURITY BLOGGER

Your knowledge source

  • Cybersecurity tools
  • Threat Management
  • Compliance
  • Digital Forensics
  • Write for us
    • New Story
    • Post List
  • About us
    • Contact Us
    • Privacy Policy
  • Toggle search form
Skills to make a successful Cyber Forensics Investigation using SIEM tools Digital Forensics
Top 5 Free SIEM tools of 2020 Cybersecurity tools
How do AWS Security Groups work? Threat management
Best SIEM tools for 2021, according to their features and prices. Cybersecurity tools
Best Governance, Risk, and Compliance (GRC) Tools Compliance

Complete Guide to FISMA Compliance

Posted on October 2, 2021January 16, 2022 By ricardovb92

Getting compliant can be a complicated process, and while compliance products like UTMStack are a great help, it’s always good to know what you’re signing up for. In this guide, we’ll talk you through everything you need to know about FISMA compliance. From what it is, to who must comply, and the steps you should take. We’ve made it friendly and easy to understand and comprehend, so read on.

Table of Contents

  • What is FISMA?
  • What is FISMA compliance?
  • Who must comply with FISMA?
  • Who overseeing agencies’ compliance?
  • What are FISMA compliance requirements?
  • What are the benefits of FISMA compliance?
  • Penalties
  • FedRAMP program
  • Frequently asked questions
    • What is the difference between FISMA and NIST?
    • How many NIST security controls are there?
    • Why is FISMA important?
    • Is AWS Fisma compliant?
  • FISMA – Why you should care

What is FISMA?

FISMA is the Federal Information Security Management Act passed as a United States Federal Law in 2002. It makes it a legal requirement for federal agencies to develop, implement, and maintain an information security and protection program. 

What is FISMA compliance?

FISMA compliance is a handbook set by FISMA for you to take steps to ensure that data and information are handled and kept securely. The National Institute of Standards and Technology (NIST) developed these standards, namely the FIPS 199, FIPS 200, and NIST 800 series.

Who must comply with FISMA?

Initially, FISMA compliance was meant for federal government agencies, hence the name. However, over time it has also expanded to include state agencies such as Medicare. Furthermore, it requires any company and civilian agencies with a contractual relationship with the government to be FISMA compliant.

Who overseeing agencies’ compliance?

FISMA 2014 (Federal Information Security Modernization Act) codifies the Department of Homeland Security’s role in administering information security policies for Federal Executive Branch civilian agencies, overseeing agencies’ compliance with those policies, and assisting OMB in developing those policies.

What are FISMA compliance requirements?

FISMA requirements and compliance is a huge in-depth topic and requires a lot of research and setup.

  1. Information Systems Inventory: Every company must maintain an inventory of information systems utilized within the organization. This includes everything from the lonely printer to the central server. Furthermore, the integrations and communications between these systems must be clearly documented. This goes for internal and external communications too.
  2. Risk Categorization: Organizations must use the FIPS 199 (Standards for Security Categorization of Federal Information and Information Systems) guidelines to create a risk management profile. This means arranging systems according to risk levels. Clearly, some items such as the central server will have a much higher risk level than the printer in the lobby. Understandably, the former will need in-depth attention, while the latter will have minimum security requirements.
  3. System Security Plan: FISMA requires agencies to create a plan of all the steps taken to meet compliances. This plan and the systems need continuous monitoring, and both of them need to be amended if any situation changes.
  4. Security Controls: NIST SP 800-53 outlines the security controls that must be implemented for FISMA compliance. Not all of the controls, within the guidelines,  are required to be implemented. Instead, the security controls required are determined by the risk assessment.
  5. Risk Assessments: NIST compliance SP 800-30 offers some guidance on how agencies conduct risk assessments. Risk assessment is the task of identifying risks to the information systems. The risk management framework should be three-tiered: business process, organization, and information system. This circles back to risk categorization.
  6. Certification and Accreditation: Unsurprisingly, it’s not enough to develop, document, and implement steps with regard to security risks. The government also conducts an annual security review. Therefore, for a federal agency or private business to gain FISMA Certification and Accreditation they need to pass a four-phased

What are the benefits of FISMA compliance?

FISMA compliance has two main benefits, one is for the public, and the other is for government agencies and businesses. Firstly, compliance means that government information and personal information are handled more securely across the United States. This benefits the public as it provides them with a higher level of peace of mind. The other benefit is for federal agencies and organizations. Most importantly, they can keep information security incidents lower, better for customers and company reputation. Secondly, by meeting FISMA compliance requirements, businesses are more likely to land government contracts, which tend to be extremely high value.

Penalties

Of course, a set of government guidelines on information security systems and security standards wouldn’t be complete without the possibility of penalties and repercussions. Of course, these are layered and are reasonable. As long as you follow the best data protection practices and don’t commit any major issues or have any data breaches, you’ll be fine.

Penalties can range from simple financial to censure by congress or even a reduction in federal funding. Of course, depending on the federal agencies involved and federal information systems involved, it could even include a high dose of reputational damage.

FedRAMP program

Despite popular belief, FISMA and other information security requirements on data don’t mean that you can’t use a public cloud service. In fact, data security is the main aim, and in many instances, using a trusted cloud provider could be more secure than hosting your own server. Understandably, any cloud service provider used by any company or agency required to be FISMA compliant must be FISMA complaint itself. To help with this the government has set up the Federal Risk and Authorization Management Program FedRAMP. FedRAMP helps ramp up the security assessment, authorization, and monitoring for cloud products using a standardized approach.

Frequently asked questions

Here are some commonly asked questions about FISMA compliance.

What is the difference between FISMA and NIST?

FISMA is the compliance act itself, while NIST develops the rules and guidelines for the act.

How many NIST security controls are there?

The National Institute of Standards and Technology Special Publication (NIST SP) 800-53 contains a wealth of security controls. NIST SP 800-53 R4 contains over 900 unique security controls that encompass 18 control families.

Why is FISMA important?

FISMA is important as it means that sensitive information is kept safe and secure. With more and more of our personal details being digital, this is something to be aware of.

Is AWS Fisma compliant?

Yes. AWS has received Federal Information Security Management Act (FISMA) Moderate Authorization and Accreditation from the U.S. General Services Administration.

FISMA – Why you should care

So there you have it. Everything you need to know about FISMA and the security requirements that come with it. If you haven’t yet, you should ensure that you become a FISMA complaint as quickly as possible. Not only will it help secure your data and information systems, which is beneficial for both you and your customers, it could also help you land some valuable government contracts.

Luckily, FISMA is similar to many other compliances such as SOC, HIPPA, and GDPR. So if you’re compliant in one, you can easily become compliant in the other. If you need help, talk to us, and we’ll get you going on the right track.

Compliance

Post navigation

Previous Post: Traditional SIEM and Next-Gen SIEM
Next Post: Top cybersecurity tools to prevent cyber attacks.

More Related Articles

Best Governance, Risk, and Compliance (GRC) Tools Compliance
HIPAA Compliance and SIEM: Meeting Standards in 2020 Compliance
A GDPR Compliance Checklist Compliance
A complete guide for GLBA Compliance Using SIEM Compliance
Why do companies need to hire white hat hackers? Compliance
What is SOC in Cybersecurity Compliance
Log in
How do AWS Security Groups work?
  • Threat management

How do AWS Security Groups work?

By Giusel Gonzalez / January 4, 2022
AWS Security Groups are essential components that help you secure your resources on Amazon Virtual Private Cloud (Amazon VPC). With...
Read More
How protect small and medium businesses from cyber threats?
  • Threat management

How protect small and medium businesses from cyber threats?

By Giusel Gonzalez / December 20, 2021
Cyber security is a massive issue for small and medium-sized businesses, and a lack of knowledge worsens its process. According...
Read More
Top cybersecurity tools to prevent cyber attacks.
  • Cybersecurity tools
  • Threat management

Top cybersecurity tools to prevent cyber attacks.

By Giusel Gonzalez / December 20, 2021
Top cybersecurity tools to prevent cyber attacks in organizations: Free SIEM tools UTMStack UTMStack is a free Next-Gen SIEM and compliance...
Read More
Complete Guide to FISMA Compliance
  • Compliance

Complete Guide to FISMA Compliance

By ricardovb92 / October 2, 2021
Getting compliant can be a complicated process, and while compliance products like UTMStack are a great help, it’s always good...
Read More
Traditional SIEM and Next-Gen SIEM
  • Cybersecurity tools

Traditional SIEM and Next-Gen SIEM

By Divine Goddesses / September 29, 2021
Traditional SIEM vs. Next-Gen SIEM SIEM tools revolutionized the world of computing in 2005 when facilitating IT professionals work in businesses' systems...
Read More
Why do companies need to hire white hat hackers?
  • Compliance
  • Threat management

Why do companies need to hire white hat hackers?

By Delphina Brown / September 29, 2021
Ethical hacking is a perfect ability to help companies keep their assets safe. Hackers white hat use it to detect...
Read More
Top cyber security threats that can damage your company.
  • Threat management

Top cyber security threats that can damage your company.

By Felicia / September 8, 2021
Security breaches are every day in the cyber news, and without proper security controls in place, your company could be...
Read More
What is HIDS? A guide about the best HIDS tools.
  • Cybersecurity tools

What is HIDS? A guide about the best HIDS tools.

By Delphina Brown / September 8, 2021
What is HIDS in Cybersecurity? A  Host-based Intrusion Detection System (HIDS) is software that detects malicious behavior on the host. Also, it...
Read More
Best SIEM tools for 2021, according to their features and prices.
  • Cybersecurity tools

Best SIEM tools for 2021, according to their features and prices.

By Divine Goddesses / September 8, 2021
Before knowing the best SIEM tools for 2021 is necessary to define some basic concepts that clarify the election. What is SIEM?...
Read More
Computer Inventory Management – Tracking Your Hardware and Software
  • Threat management

Computer Inventory Management – Tracking Your Hardware and Software

By ricardovb92 / September 8, 2021
Just a few years ago, most companies had at most a single computer in their inventory. That computer was running...
Read More

Categories

  • Compliance
  • Cybersecurity tools
  • Digital Forensics
  • Threat management
  1. Jessica Ow on Top cybersecurity tools to prevent cyber attacks.

    Excellent article! Thanks

Log in

Copyright © 2023 CYBERSECURITY BLOGGER.

Powered by PressBook Blog WordPress theme