The United States enacted the Federal Information Security Management Act (FISMA) in 2002 as part of the E-Government Act of 2002 to enhance the administration of electronic government services and operations, and since has been amended by the Federal Information Security Modernization Act of 2014 (FISMA 2014). This law requires federal agencies to develop, implement, and maintain an information security program to protect the sensitive data they handle.
Data security guidelines published by the National Institute of Standards and Technology (NIST) provide the foundation for FISMA compliance. NIST is considered the authoritative body for creating, maintaining, and updating security standards for government agencies. As the underlying basis for FISMA, NIST:
- Sets minimum security requirements for establishing information security solutions and protocols;
- Provides recommendations on the types of security systems implemented by federal government agencies and approved third-party vendors;
- Standardizes risk assessment and auditing practices based on the severity of agencies’ security risk levels;
NIST’s standards for FISMA compliance are used to help federal agencies maintain an information security program to protect the sensitive information they use.
Understanding FISMA compliance is essential because any federal agency — or private businesses that work with a federal agency or receive federal grant money — must abide by the law.
More broadly, compliance with FISMA drives greater cybersecurity and protection of government information from cyberattacks, whether that’s military information, personal data, or U.S. trade secrets.
FISMA-compliant organizations receive Authorization To Operate (ATO) from the federal agency with which they do business. The agency granting the ATO may perform the contractor’s security assessment or enlist a certified third-party security assessor (3PAO) to do the job.
Meanwhile, the Federal Risk and Authorization Program (FedRAMP) is a program designed to help federal agencies secure their data in the cloud and streamline the use of Cloud Service Providers (CSPs).
It is easy to confuse FedRAMP and FISMA. Unlike FISMA, FedRAMP is only a guideline, not a law. Still, FedRAMP relies on the same security controls as FISMA from NIST Special Publication 800-53. Consequently, FedRAMP is often called “FISMA for the cloud.”
What is FISMA Compliance?
FISMA is one of the most essential federal data security and privacy standards. It was created to lower the security risk to government information and data while also controlling the federal information security budget.
FISMA compliance entails following a set of rules, regulations, and recommendations to safeguard personal or sensitive information in government systems. FISMA compels all government agencies and their suppliers, service providers, and contractors to strengthen their information security controls following these pre-defined standards.
The Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST) jointly monitor FISMA. NIST creates FISMA standards and guidance, including baseline security criteria, to help agencies and contractors improve their IT security and risk management procedures. The DHS oversees these projects to improve federal information system security.
Who Must be FISMA-Compliant?
Initially, FISMA’s data protection provisions applied solely to U.S. government agencies. While these requirements continue to apply to all federal agencies without exception, they are now also relevant to other organizations. As a result, every third-party contractor or other business that provides services to a federal agency and manages sensitive data on its behalf must likewise comply with FISMA.
As a result, the following organizations must comply with FISMA:
- Public or private sector organizations have contractual arrangements with government authorities.
- Organizations that are public or private who endorse a federal program or get federal funding.
- State-run programs like Medicaid and Medicare.
What Are the Three Levels of FISMA Compliance?
To comply with FISMA, a business must evaluate its information systems and the nature of its organization to focus on the most critical areas. FISMA defines three levels of possible impact on organizations or individuals in the event of a security breach. Below is an explanation of each impact level of FISMA compliance.
Low Impact
If the loss of confidentiality, integrity, or availability is projected to have limited harm on the organization’s activities, assets, or persons, the potential impact is considered low.
FISMA has defined some categories of Covered Defense Information (CDI) and Controlled Unclassified Information (CUI) as low impact, indicating that the total adverse effects will be minimal if compromised. For example, only minor financial loss or damage to the organization’s assets would be incurred.
The word to remember while assessing which systems and data are low-impact under FISMA is “limited.” Even if compromised, the harm to confidentiality, integrity, or availability of data would be limited. In that case, the compliance measures for those systems or types of data need only meet the low compliance level.
Moderate Impact
The next level of FISMA compliance is moderate impact, meaning the compromise would have more severe consequences than the low level. Moderate FISMA impact severely affects the organization’s operations, government entities, or individuals.
A severe adverse effect means losing confidentiality, integrity, or availability, which could, for example, significantly damage the organization’s assets or cause substantial financial loss.
Moderate impact data and systems can include any CDI or CUI, such as process manuals or financial data. While the consequences of these types of data compromise can be significant, there is no real-world severe damage or loss of life from moderate-level data hacking.
High Impact
High-impact data and systems are some of the most critical assets a contractor or vendor can manage, and they must be protected to the greatest extent possible under FISMA. If high-impact data is compromised, it can have significant consequences for an organization’s assets, government bodies, or individuals.
“Severe or catastrophic adverse effect” can include significant financial loss or damage to the organization’s assets. In the most extreme circumstances, for example, information regarding military strategy or access to crucial energy infrastructure might result in real-world harm and even death.
To achieve FISMA compliance, it’s vital to identify potential high-impact data and systems within your firm. It’s the most crucial factor to consider.
How Do You Become FISMA-Compliant?
FISMA compliance requires organizations to implement enterprise-wide security controls based on NIST guidelines. Several publications cover FISMA guidelines, such as NIST SP 800-53, Federal Information Processing Standards (FIPS) 199, and FIPS 200.
The FISMA requirements are as follows:
- Information systems inventory. FISMA requires every organization to maintain a complete inventory of information systems. The organization must also document how IT systems are integrated and share data.
- Categorize information systems and sensitive data. Categorize information systems and data by risk level and ensure that high-risk systems receive the highest level of security. FIPS 199 specifies how a government agency classifies security risks and obligations.
- Maintain a System Security Plan (SSP). Organizations must establish and maintain an up-to-date security plan as part of their FISMA compliance requirements. The plan includes security regulations and detailed internal security controls. This document is a tool for system owners and auditors to verify the effectiveness of controls.
- Develop security controls. NIST 800-53 defines 20 security controls that every agency must implement to comply with FISMA. Although FISMA does not require an organization to implement all 20 security controls, it must employ all controls relevant to its operations and systems.
- Conduct risk assessments. Using the Risk Management Framework (RMF), NIST recommends that risk assessments be three-tiered to identify security threats at the business process, information system, and organizational levels.
- Obtain accreditation. Certification and accreditation are also referred to as assessment and authorization. The organization will be accredited or authorized after an assessment determines that the information system meets the standards described in NIST SP 800-37, meaning the controls are effectively and consistently operating as intended.
- Implement continuous monitoring. Ongoing monitoring activities include continuous security controls, status reporting, system change impact analysis, configuration management, and periodic audits. A complete risk assessment should be conducted again if a significant change or update is made to a system to prevent non-compliance.
What Are the Best Practices for FISMA Compliance?
Achieving FISMA compliance doesn’t have to be a complicated process. By following some best practices, you can simplify your organization’s security assessment and accreditation process. In addition, the best practices listed below will assist your company in meeting all applicable FISMA criteria.
Implement a Data Security Plan
Maintain a comprehensive data security plan to classify data, monitor activity, and detect threats to your sensitive data that could lead to a data breach. Create security policies to manage access and categorize assets in your systems. Reference FISMA and applicable NIST guidelines to determine the appropriate security controls.
Keep Up on Changes in FISMA Standards
Reforms to FISMA can have significant implications for your company, so keeping abreast of any publications or changes to FISMA is essential. In addition, always look for chances to adopt a more holistic approach to your overall compliance strategy when you update your procedures to meet new FISMA regulations.
Maintain Documentation of Your FISMA Compliance Efforts
Documenting and retaining pertinent records provides authentication of your FISMA compliance efforts. Maintain evidence of internal audits and save documentation of risk categorization. It’s also beneficial to document controls and measures as they evolve. This information is valuable to auditors as they familiarize themselves with your FISMA journey.
Use ZenGRC for FISMA Compliance
Obtaining FISMA certification can take significant time and effort, mainly if your company still relies on antiquated technologies and spreadsheets to achieve and maintain compliance operations.
Our compliance professionals at Reciprocity can assist you in preparing your FISMA compliance program, streamlining the process, and reducing the workload on your team.
ZenGRC is a single source of truth that ensures your organization is always audit-ready. Policies and procedures are revision-controlled and easy to find in the document repository. Workflow management features offer easy tracking, automated reminders, and audit trails. Insightful reporting and dashboards give visibility to vulnerabilities and high-risk areas.