The United States enacted the Federal Information Security Management Act (FISMA) in 2002. This law requires federal agencies to develop, implement, and maintain an information security program to protect the sensitive data they handle.
Data security guidelines published by the National Institute of Standards and Technology (NIST) provide the foundation for FISMA compliance. NIST is considered the authoritative body for creating, maintaining, and updating security standards for government agencies. As the underlying basis for FISMA, NIST:
- Sets minimum security requirements for establishing information security solutions and protocols;
- Provides recommendations on the types of security systems implemented by federal government agencies and approved third-party vendors;
- Standardizes risk assessment and auditing practices based on the severity of agencies’ security risk levels;
NIST’s standards for FISMA compliance are used to help federal agencies maintain an information security program to protect the sensitive information they use.
Understanding FISMA compliance is essential because any federal agency — or private businesses that work with a federal agency or receive federal grant money — must abide by the law.
More broadly, compliance with FISMA drives greater cybersecurity and protection of government information, whether that’s military information, personal data, or U.S. trade secrets.
FISMA-compliant organizations receive authorization to operate (ATO) from the federal agency with which they do business. The agency granting the ATO may perform the contractor’s security assessment or enlist a certified third-party security assessor (3PAO) to do the job.
Meanwhile, the Federal Risk and Authorization Program (FedRAMP) is a program designed to help federal agencies secure their data in the cloud and to streamline the use of cloud service providers (CSPs).
It is easy to confuse FedRAMP and FISMA. Unlike FISMA, FedRAMP is only a guideline, not a law. Still, FedRAMP relies on the same security controls as FISMA from NIST Special Publication 800-53. Consequently, FedRAMP is often referred to as “FISMA for the cloud.”
What Are the Three Levels of FISMA Compliance?
To comply with FISMA, a business will need to evaluate its information systems and the nature of its organization so it can focus on specific areas that are most critical. FISMA defines three levels of possible impact on organizations or individuals in the event of a security breach. Below is an explanation of each impact level of FISMA compliance.
If the loss of confidentiality, integrity, or availability is projected to have a limited harm on the organization’s activities, assets, or persons, the potential impact is considered low.
FISMA has defined some categories of covered defense information (CDI) and controlled unclassified information (CUI) as low impact, indicating that the total adverse effects will be minimal if compromised. For example, only minor financial loss or minor damage to the organization’s assets would be incurred.
The word to remember while assessing which systems and data are low-impact under FISMA is “limited.” Even if compromised, the harm on confidentiality, integrity, or availability of data would be limited. In that case, the compliance measures for those systems or types of data need only meet the low compliance level.
The next level of FISMA compliance is moderate impact, which means that the compromise would have more severe consequences than the low level. Moderate FISMA impact is a severe adverse effect on the organization’s operations, government entities, or individuals.
A serious adverse effect means that the loss of confidentiality, integrity, or availability could, for example, result in significant damage to the organization’s assets or in substantial financial loss.
Moderate impact data and systems can include any number of CDI or CUI, such as process manuals or financial data. While the consequences of these types of data compromise can be quite significant, there is no real-world severe damage or loss of life from moderate-level data hacking.
High-impact data and systems are some of the most critical assets that a contractor or vendor can manage, and they must be protected to the greatest extent possible under FISMA. If high-impact data is compromised, it can have significant consequences for an organization’s assets, government bodies, or individuals.
“Severe or catastrophic adverse effect” can include significant financial loss or significant damage to the organization’s assets. In the most extreme circumstances, for example, information regarding military strategy or access to crucial energy infrastructure might result in real-world harm and even death.
To achieve FISMA compliance, then, it’s vital to identify potential high-impact data and systems within your firm. It’s the most crucial factor to consider.
How Do You Become FISMA-Compliant?
FISMA compliance requires organizations to implement enterprise-wide security controls based on NIST guidelines. Several publications cover FISMA guidelines, such as NIST SP 800-53, Federal Information Processing Standards (FIPS) 199, and FIPS 200.
The FISMA requirements are as follows:
- Information systems inventory. FISMA requires every organization to maintain an inventory of all information systems. The organization also needs to document how systems are integrated and share data.
- Categorize information systems and sensitive data. Categorize information systems and data by risk level and assure that high-risk systems receive the highest level of security. FIPS 199 specifies how a government agency classifies security risks and obligations.
- Maintain a system security plan (SSP). Organizations must establish and maintain an up-to-date security plan as part of their FISMA compliance requirements. The plan includes security regulations and detailed internal security controls. This document is a tool for system owners and auditors to verify the effectiveness of controls.
- Develop security controls. NIST 800-53 defines 20 security controls that every agency must implement to comply with FISMA. Although FISMA does not require an organization to implement all 20 security controls, it must employ all controls relevant to its operations and systems.
- Conduct risk assessments. Using the risk management framework (RMF), NIST recommends that risk assessments be three-tiered to identify security threats at the business process, information system, and organizational levels.
- Obtain accreditation. Certification and accreditation is also referred to as assessment and authorization. The organization will be accredited, or authorized, after an assessment determines that the information system meets the standards described in NIST SP 800-37, meaning the controls are effectively and consistently operating as intended.
- Implement continuous monitoring. Ongoing monitoring activities include continuous security controls, status reporting, system change impact analysis, configuration management, and periodic audits. A complete risk assessment should be conducted again if a major change or update is made to a system.
What Are Best Practices for FISMA Compliance?
Achieving FISMA compliance doesn’t have to be a complicated process. By following some best practices, you can simplify the security assessment and accreditation process for your organization. In addition, the best practices listed below will assist your company in meeting all applicable FISMA criteria.
Implement a Data Security Plan
Maintain a comprehensive data security plan to classify data, monitor activity, and detect threats to your sensitive data. Create security policies to manage access and categorize assets in your systems. Reference FISMA and applicable NIST guidelines to determine the appropriate security controls.
Keep Up on Changes in FISMA Standards
Reforms to FISMA can have significant implications on your company, so it is essential to keep abreast of any publications or changes to FISMA. In addition, always look for chances to adopt a more holistic approach to your overall compliance strategy when you update your procedures to meet new FISMA regulations.
Maintain Documentation of Your FISMA Compliance Efforts
Documenting and retaining pertinent records provides authentication of your FISMA compliance efforts. Maintain evidence of internal audits and save documentation of risk categorization. It’s also beneficial to document controls and measures as they evolve. This information is valuable to auditors as they familiarize themselves with your FISMA journey.
Use ZenGRC for FISMA Compliance
Obtaining FISMA certification can take a significant amount of time and effort, mainly if your company still relies on antiquated technologies and spreadsheets to achieve and maintain compliance operations.
Our compliance professionals at Reciprocity can assist you in preparing your FISMA compliance program, streamlining the process, and reducing the workload on your team.
ZenGRC is a single source of truth that ensures your organization is always audit-ready. Policies and procedures are revision-controlled and easy to find in the document repository. Workflow management features offer easy tracking, automated reminders, and audit trails. Insightful reporting and dashboards give visibility to gaps and high-risk areas.