What is FISMA Compliance?
FISMA stands for the Federal Information Security Management Act, which was passed by the United States Congress in 2002. FISMA was created to require each federal agency to develop, document, and implement a complete information security plan to protect and support the operations of the agency. FISMA compliance is data security guidance set by FISMA and the National Institute of Standards and Technology (NIST).
FISMA compliance is mandatory for all federal agencies and any contractors or other organizations supporting a federal agency in IT system. That means not only federal agencies, but private sector companies that do business with federal agencies also must adhere to the same information security guidelines.
Why you need FISMA Compliance?
Today’s complex information systems and networks are enormously beneficial for most users, but they do come with certain inherent risks. Federal agencies are an alluring target for hackers because these agencies transmit, process, and store vital, strategic, and confidential information that could be used for personal gain or to harm national interests. That’s why proper information security is so vital to a federal agency’s ability to fend off cyber criminals and protect sensitive national security information.
-
Key Benefits of FISMA Compliance:
- assuring clients that their sensitive data is protected
- protecting government information and assets with confidentiality, integrity, and availability
- reducing IT related cost to the federal government
- maintaining loyal clients and attract new ones
-
Penalties for Poor FISMA Grades:
- censure by congress
- negative publicity for the agency
- reduced federal funding for agencies
It is critical that agencies conduct a FISMA assessment to determine the risks to federal information systems and become compliant with this regulation.
How to become FISMA Compliant?
To be FISMA compliant you need to information security controls across your organization based on the guidance from NIST. Specific FISMA requirements are detailed in NIST SP 800-53 Rev. 4 (current publication), the Federal Information Processing Standards (FIPS) publications 199 and 200.
FISMA requirements include:
- Information System Inventory: FISMA requires every agency to maintain an inventory of all systems and their integrations in use.
- Risk Categorization: FIPS 199 documents how an agency categorizes their risk and security requirements. Each agency is responsible for maintaining the highest level of security necessary per this document.
- System Security Plan: FISMA requires that each agency have a security plan in place and a process to make sure the plan is updated regularly.
- Security Controls: NIST 800-53 Rev. 4 defines 20 security controls that each agency must implement to be FISMA compliant.
- Risk Assessments: Any time an agency makes a change to their systems, they are required to perform a three tiered risk assessment using the Risk Management Framework (RMF).
- Certification and Accreditation: FISMA requires each agency to conduct yearly security reviews. Agencies must demonstrate they can implement, maintain, and monitor systems to be FISMA compliant.
How WCG will help you?
WCG provides knowledgeable and experienced consultants to assist federal agencies to improve their security posture and become compliant with FISMA.
-
Our FISMA Assessment Service helps clients to:
- Categorize the information to be protected
- Select minimum baseline controls
- Refine controls using a risk assessment procedure
- Document the controls in the system security plan
- Implement security controls in appropriate information systems
- Assess the effectiveness of the security controls once they have been implemented
- Determine agency-level risks to the mission or business case
- Monitor the security controls on a continuous basis