Listen to: "Are You Confident That Your Organization Is FISMA Compliant?"
Learn the Basics About FISMA
The Federal Information Securities Management Act of 2002 (FISMA), also known as Title III of the E-Government Act of 2002, specifies that all government agencies, as well as their affiliates such as government contractors, must design, develop, document and implement a security program that accounts for the entire organization’s operations and users.
This U.S. federal law recognizes the vital importance of information security matters on economic and national security interests of the country.
The recent breach of the U.S. Office of Personnel Management lifted the veil to reveal that numerous agencies in the United States government are prime targets for cyber-security attacks and breaches.
What Is the Purpose of FISMA?
With such a complex series of interrelated, yet distinct, federal agencies, it is important to maintain a consistent approach to data security that everyone can easily understand and apply. FISMA was designed to fulfill this role, assigning specific responsibilities to federal agencies, including the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB).
Each respective agency does its part to strengthen information security systems, according to their own specializations.
This organization develops and issues well-researched standards, guidelines and other pertinent publications, such as their Special Publication 800-37, to help various governmental agencies implement and comply with FISMA. The agency also works on finding cost-effective measures to protect its own computing system and ensure its own compliance.
The Office of Management and Budget features policies that reinforce NIST’s efforts, stating that, in cases outside of national security instances, all federal agencies must follow NIST guidelines.
Who Must Comply with FISMA Standards?
Anyone working for the federal government, or any agency therein, who handles sensitive government information must adhere to FISMA standards.
Additionally, since the 2002 enactment of FISMA, certain state agencies have been included under FISMA, which include those state agencies that manage and administer federally funded programs, such as:
- Unemployment insurance
- Student loans
Private Sector Organizations
In ordinary circumstances, private sector organizations would have no need to worry about FISMA. However, if a private company begins a contractual agreement with the government—whether providing services or products, receiving a grant, or supporting a federal program—they must comply with FISMA’s mandates.
It is important that private sector businesses understand FISMA and their responsibility to comply when signing on with the federal agency. Ideally, the company’s liaison and a representative of the federal agency sit down and discuss information security and other issues with which the private sector party must comply.
Cloud Service Providers
Another body that helps ensure FISMA compliance is FedRAMP, which is “a collaboration of cloud experts from GSA, NIST, DHS, DOD, NSA, OMB, the Federal CIO Council.” This group of federal cyber-security experts helps cloud service providers understand their responsibility while supporting federal agencies and how they can guaranty FISMA compliance for their organization.
What Are the Most Important Requirements for FISMA Compliance?
Maintaining consistent and full FISMA compliance starts with learning all the requirements. Take some time and browse through the most important requirements for FISMA so your IT team can ensure your full adherence:
Perform an Inventory of Your Information System
Whether you oversee a federal agency, private sector company or a cloud computing firm, it is imperative have an information systems inventory in place. Identify the interfaces between each discrete system, as well as other systems and network environments, including systems not under the control of the federal agency.
Organize and Categorize Information According to Risk Level
This requirement helps you assign appropriate levels of data access and information security. Consult FIPS Publication 199 for “Standards for Security Categorization of Federal Information and Information Systems” and the “Guide for Mapping Types of Information and Information Systems to Security Categories.”
Ensure Proper Security Controls
Any system that contains federal data must adhere to minimum security requirements. The specific requirements are laid out in FIPS 200, “Minimum Security Requirements for Federal Information and Information Systems.”
Create and Maintain an Efficient and Measurable Security Program
These plans serve as key documents that require frequent and consistent review, necessary modifications, and respective plans of actions for implementing security controls.
Perform Regular Risk Assessments
Always a fundamental part of risk management, risk assessments are crucial when dealing with government information systems. NIST has created an amendment to address this important part of managing risk in its SP 800-30, “Guide for Conducting Risk Assessments.”
Obtain Certification and Accreditation
Once you have performed the other tasks, especially a risk assessment to ensure proper functioning and security, your system must undergo a review to obtain certification and accreditation. The process is set forth in the NIST SP 800-37 “Guide for the Security Certification and Accreditation of Federal Information Systems.”
Monitor the System Continuously
Once you have obtained certification and accreditation, activities that you must continuously monitor in your information system include configuration management and system control components, analyses regarding changes to the system, ongoing assessment of various security controls, and status feedback and reports.
Encrypt All Data
In most information system environments, IT leaders are encouraged to encrypt pages that contain extremely sensitive data such as credit card information and social security numbers. When it comes to federal agencies, each page and all information is worthy of adding the layers of protection that encryption provides. When working with cloud security firms, however, it is important that you do not share encryption keys, which would provide sensitive data in clear and intelligible text.
Reach Out for Help from Professionals Who Know FISMA’s Compliance Requirements Inside-Out
I.S. Partners, LLC.’s FISMA team can make compliance a breeze for your IT team. Whether you want to clarify a particular aspect of the Act, or you just don’t know where to begin if you have just started working with a federal agency as a private sector company, help is available. Reach out to the team via phone or chat to learn more about FISMA risk assessments, certification and accreditation, and anything else you need for full compliance.