The U.S. federal government has many laws and regulations intended to assure strong cybersecurity for government agencies. Two of the most important are the Federal Information Security Management Act (FISMA) and the Federal Risk and Authorization Management Program (FedRAMP).
Both FISMA and FedRAMP have the same fundamental goal: to assure that federal agencies and their vendors protect government data. That said, they also differ in many ways. This article explores those similarities and differences, so that any government agency or government contractor can understand the cybersecurity compliance obligations your organization faces.
What Is FISMA Certification?
The Federal Information Security Management Act (FISMA) is a federal law enacted in 2002. It defines cybersecurity standards and guidelines to protect government information. FISMA requires federal government agencies and their contractors to meet these information security standards to protect the government operations, data, and systems.
FISMA’s requirements represent industry best practices around risk management and cybersecurity. Organizations that comply with these requirements (regardless of whether they’re federal agencies, federal contractors, or non-federal companies) are usually better prepared to address cyber threats, respond to data breaches, and strengthen their security posture.
Who Must Comply with FISMA?
FISMA standards originally only applied to U.S. government agencies. The intent was to protect and strengthen the IT infrastructure, information, and information systems operated and maintained by these agencies.
Today FISMA applies more broadly, to organizations including:
- State government agencies that help administer joint state-federal programs
- Private companies providing government agencies with software or services, such as software-as-a-service (SaaS) vendors or Cloud Service Providers (CSPs)
In short, any organization that contracts with the federal government to provide services, receive grants, or support a federal program must comply with FISMA.
How Is FISMA Applied?
FISMA works differently than other laws and regulations. Laws like HIPAA impose hefty penalties and fines on companies that don’t comply with its requirements. Also, HIPAA rules apply to the entire organization. FISMA manages applicability and accountability more directly.
For one, FISMA rules assess the security of individual systems, not entire companies or federal agencies. Also, an “authorizing official” (AO) plays an essential role under FISMA.
The AO is usually a high-level manager responsible for information security at a federal agency. The AO determines whether the information systems at this agency (or contractor) comply with FISMA’s standards.
Whether the agency runs the systems in-house or outsources management to another party, the AO will assess the system’s FISMA compliance and provide an Authority to Operate (ATO) sign-off.
The ATO is a critical element of determining FISMA compliance, and by extension, the security of the agency’s information systems. A data breach or unauthorized access attempt on systems with an ATO sign-off can create serious problems for the agency – and the AO.
The Role of NIST in FISMA
The National Institute of Standards and Technology (NIST) produces FISMA’s security guidelines and standards. Federal agencies and contractors use these guidelines to categorize information and information systems. Appropriate information security controls are implemented based on a range of applicable risk levels.
NIST has also developed the minimum information security requirements that information and information systems in each category must satisfy. These security requirements fall into three groups: technical security, operational, and management.
FISMA Compliance Process
The FISMA certification process starts by classifying the federal agency or contractor according to the security sensitivity of the operations in question. That is, would a breach lead to low-, moderate, or high-impact security disruption?
Whatever that category is, the agency or contractor must then implement the appropriate information security controls as dictated by NIST standards. (NIST has defined 18 categories of security controls that might be needed, depending on the impact level.) To meet FISMA’s compliance requirements, the agency or contractor must implement all necessary controls.
As part of the FISMA assessment and compliance process, agencies and vendors must maintain an inventory of all in-use information systems. The inventory list should specify how the systems integrate with the enterprise network. In addition, the agency or contractor must:
- Categorize information by risk to ensure that sensitive information gets the highest possible security;
- Create, maintain, and update a system security plan;
- Perform risk assessments at three levels: organization, business process, and information system.
Once the organization successfully completes all these activities, it gets FISMA certification. To retain that accreditation, FISMA compliant organizations are subject to annual reviews.
FISMA Compliance Benefits
FISMA compliance is mandatory for all government agencies and the contractors that want to work with them. For the latter, compliance indicates that solid information security controls are in place to protect government systems and sensitive data.
FISMA’s risk management approach and cybersecurity framework can also benefit any organization looking to secure its information systems from cyber threats.
What Is FedRAMP Certification?
Since 2011, the federal government has been trying to move its IT infrastructure to the cloud to reduce sprawl and fragmentation. To this end, the Cloud First Initiative was launched to help federal agencies realize the value of cloud computing at a faster pace. The initiative requires agencies to evaluate secure cloud computing options before making new investments.
The Federal Risk and Authorization Management Program (FedRAMP) allows agencies to understand which cloud providers are secure enough for the agencies to use.
All CSPs that want to provide cloud services to federal agencies must comply with both FISMA and FedRAMP. FedRAMP, in particular, provides a standardized approach to help CSPs achieve FISMA compliance and certification.
How FedRAMP Works
There are two categories of FedRAMP compliance:
- Joint Authorization Board Provisional Authority to Operate (JAB P-ATO)
- FedRAMP Agency Authority to Operate (ATO)
The rules for JAB P-ATO certification are more stringent than the rules for ATO certification. Also, earning JAB P-ATO requires a more significant investment of time and resources. Moreover, JAB P-ATO has to be approved by:
- FedRAMP Project Management Office (PMO)
- Joint Authorization Board which consists of officials from the:
- General Services Administration (GSA)
- Department of Homeland Security (DHS)
- Department of Defense (DoD)
Nonetheless, achieving JAB P-ATO can also bring more benefits to CSPs since it gives them freedom to work with any federal agency.
ATO certification rules are less stringent, and more suitable for CSPs that intend to work with only one or two agencies. The CSP must be “sponsored” by a federal agency to earn ATO, and in effect, the agency assumes the risk for the CSP.
FedRAMP Certification Process
A CSP can obtain JAB P-ATO or ATO certification by following this step-by-step process:
- The CSP categorizes its services under NIST’s FIPS-199 publication into low, medium, or high impact services.
- It creates a system security plan to describe how it implements the controls defined in NIST SP 800-53.
- A third-party assessment organization (3PAO) designs and conducts a security assessment plan to independently test the CSP’s security controls.
- The CSP creates a Plan of Actions & Milestones (POAM) based on the findings in the 3PAO’s security assessment plan.
The federal agency intending to work with the CSP will review the 3PAO’s security assessment report. After assessing the CSP’s controls and risks, the agency will either grant a JAB P-ATO or ATO certificate. When the CSP achieves one of these certifications, it will be listed in the FedRAMP marketplace as a federal agency-approved CSP vendor.
FedRAMP Certification Benefits
FedRAMP certification can open new doors for CSPs. Even though its requirements are rigorous, a certified CSP can gain access to many desirable and potentially profitable government contracts. Also, it can work with multiple federal agencies without repeating the certification process.
Federal agencies also benefit by working with FedRAMP-certified CSPs, knowing that these organizations can effectively protect federal information and information systems from cyberattacks and security breaches.
Moreover, thanks to FedRAMP’s “Do once, use many times” authorization process, agencies simply have to review an authorized cloud solution to confirm that it is safe for use. Non-government customers of the CSP can also benefit in the same way.
Distinctions Between FISMA and FedRAMP Certifications
Similarities
Both FISMA and FedRAMP certifications are related to the security of information and information systems. FISMA and FedRAMP are also both based on the security controls recommended by the NIST’s SP 500-83. Many of these controls are common to both.
Differences
Applicable Scope
FISMA provides guidelines for protecting all kinds of information and information systems. FedRAMP applies FISMA rules to one specific category of IT: cloud computing and cloud security. Its guidelines pertain to federal agencies adopting cloud service providers and protecting government data in the cloud.
In other words, FedRAMP is the version of FISMA that’s specifically applicable to the cloud and CSPs. All federal agencies and contractors must be FISMA certified. FedRAMP certification, however, is only required for CSPs working with federal agencies.
Number of Controls
Another difference is that FedRAMP has more controls than FISMA. These controls are specifically related to CSPs. For example, FedRAMP has 326 and 421 controls, respectively, for moderate-impact and high-impact cloud services. FISMA has only 261 and 343 controls, respectively, for all moderate-impact and high-impact information solutions and services.
ATO Requirements
To maintain an Authority to Operate (ATO) with U.S. federal agencies, CSPs must achieve and maintain both FISMA and FedRAMP certifications. That said, there are differences in the ATO certification process for each.
For instance, CSPs pursuing FedRAMP ATO must pass a 3PAO assessment (see the FedRAMP Certification Process section above). FISMA certification doesn’t require a 3PAO assessment.
Risk Assumption
Another difference is in the assumption of risk. Under FedRAMP, the federal agency that uses (or plans to use) a CSP assumes the risk of outsourcing information system management. With FISMA compliance, each agency and organization is responsible for managing its own compliance.
Maintain Your Certifications and Compliance Posture with ZenGRC
An automated, intuitive, and visual GRC tool like ZenGRC can help your organization simplify and speed up the FedRAMP and FISMA certification process.
Through automation and a plethora of powerful features, ZenGRC can easily manage both compliance standards. Templates and control mapping simplify document management and reduce duplicated efforts across frameworks.
It can also integrate with your existing systems and applications through ZenConnect, allowing you to manage multiple compliance-related tasks from a single platform. The ZenConnect feature enables integration with popular tools, such as Jira, ServiceNow, and Slack, ensuring seamless adoption within your enterprise.
Generate insightful compliance reports, get complete views of control environments, and ensure that up-to-date information is always on-hand to evaluate your compliance program.
Schedule a demo to see what ZenGRC can do for you!
Why sign up for the Risk Insiders newsletter?
To stay in the know! Get new blogs, resources, CPE opportunities, industry research & more — direct to your inbox.
