FISMA, or the Federal Information Security Management Act of 2002, is part of the E-Government Act—a federal law in the United States, enacted by Congress, that provides data security standards to protect confidential data and details about operations and assets from outside threats. 

The law mandates that every federal agency must create, implement, and monitor an information security program to shield government information and information systems used in the operations of the agency. That includes any services provided by a partner agency or a third-party vendor.

In 2010 the Office of Management and Budget (OMB) published guidelines that require agencies to transmit real-time data to FISMA auditors to allow continuous monitoring of FISMA-regulated systems.

FISMA was amended in 2014 to include national security measures, in response to the rising number of cyberattacks against the U.S. government. FISMA was also given a new name: the Federal Information Security Modernization Act (but still abbreviated as FISMA). 

The new version of FISMA includes measures relating to computer security, cloud computing, and the prevention of data breaches to federal information systems.

Let’s take a closer look at the role FISMA plays in state and federal government.  

Does FISMA apply to state governments?

Yes. While originally considered a federal law that applied to government agencies within the U.S. federal government, it has since been expanded to include all state and local governments that participate in federal government programs. This would include programs such as Medicare, Medicaid, federally backed student loans, and so forth.

Now that we have discussed what FISMA is and which government agencies it applies to, let’s take a look at how FISMA compliance is achieved. 

How Do State and Federal Agencies Achieve FISMA compliance?

To establish the security standards agencies must use in their risk management programs, the National Institute of Standards and Technology (NIST) created the FISMA Implementation Project in 2003. This framework—specifically the FIPS 199, FIPS 200, and NIST 800 series—provides the following guidelines.

Risk Assessments

NIST SP 800-30 provides guidance for risk assessments. According to these guidelines, agency risk assessments should operate in three “tiers” to identify the potential for (and then to reduce the chance of) security incidents at the organizational level, the business operations level, and the information system level. 

Risk Categorization

Agencies must categorize their information systems and data in order of risk severity. Then they must apply the strongest levels of cybersecurity to those systems and data facing the greatest risks. 

To assist with risk categorization, FIPS 199, “Standards for Security Categorization of Federal Information and Information Systems,” defines a range of risk levels that organizations can use to meet their FISMA requirements.

Information Inventory

Agencies must maintain an inventory of all information systems they use, as well as any integrated systems or tools that sensitive data may be transmitted between. 

Security Controls

NIST SP 800-53 and FedRAMP work together to provide compliance fundamentals for FISMA-regulated agencies. NIST 800-53 provides prescriptive controls for data integrity; the Federal Risk and Authorization Management Program (FedRAMP) provides complementary controls for cloud service providers (CSP).

FedRAMP is a U.S. government program that provides standards for security assessment, incident response, and continuous monitoring for information technology (IT) and cloud products and services.

These controls together provide a thorough outline for agencies implementing security controls to achieve FISMA compliance. While not all controls contained in NIST SP 800-53 and FedRAMP are relevant to every agency, it’s your duty to determine which ones are and to implement those controls into your overall security plan. 

Security Plan

FISMA and FedRAMP compliance requires that agencies implement a security plan, maintain it, and provide continuous monitoring of its efficacy. A security plan should include security policies that mitigate risk and prevent unauthorized access of sensitive data, and a timeline for future controls.

Certification and Accreditation

FISMA security requirements require agencies to execute security reviews and file annual reports to ensure risks are minimized. After all security risk mitigation requirements are met, agencies can apply for FISMA Certification and Accreditation (C&A).

How ZenGRC Can Help You Achieve FISMA Compliance

With large organizations such as federal and state agencies, keeping track of compliance documentation and employees with outstanding compliance requirements is not only complex and time-consuming; it’s risky. The chance for human error is high, and non-compliance can bring both monetary penalties and lost business. 

ZenGRC automates your compliance tasks, provides a baseline to help you improve and track ROI for compliance, and tracks all documentation and requirements in a single, central location so you always know your organization’s compliance posture for compliance certifications and requirements.

With ZenGRC performing so many FISMA compliance tasks for you and, at the same time, helping to improve your cloud security, you can stop worrying about compliance and turn your focus to other, more pressing matters—such as landing more lucrative government contracts. 

To better understand how ZenGRC automation can help you navigate FISMA compliance, schedule a free demo today!