ZenGRC

Simply Powerful GRC

FISMA

3 Levels of FISMA Compliance: Low Moderate High

· ·

The United States enacted the Federal Information Security Management Act (FISMA) in 2002 as part of the E-Government Act of 2002 to enhance the administration of electronic government services and operations and has since been amended by the Federal Information Security Modernization Act of 2014 (FISMA 2014). This law requires federal agencies to develop, implement, and maintain an information security program to protect the sensitive data they handle.

Data security guidelines published by the National Institute of Standards and Technology (NIST) provide the foundation for FISMA compliance. NIST is considered the authoritative body for creating, maintaining, and updating security standards for government agencies. As the underlying basis for FISMA, NIST:

  • Sets minimum security requirements for establishing information security solutions and protocols.
  • Provides recommendations on the types of security systems implemented by federal government agencies and approved third-party vendors.
  • Standardizes risk assessment and auditing practices based on the severity of agencies’ security risk levels.

NIST’s standards for FISMA compliance are used to help federal agencies maintain an information security program to protect the sensitive information they use.

Understanding FISMA compliance is essential because any federal agency — or private businesses that work with a federal agency or receive federal grant money — must abide by the law.

More broadly, compliance with FISMA drives greater cybersecurity and protection of government information from cyberattacks, whether that’s military information, personal data, or U.S. trade secrets.

FISMA-compliant organizations receive Authorization To Operate (ATO) from the federal agency with which they do business. The agency granting the ATO may perform the contractor’s security assessment or enlist a certified third-party security assessor (3PAO) to do the job.

Meanwhile, the Federal Risk and Authorization Program (FedRAMP) is a program designed to help federal agencies secure their data in the cloud and streamline the use of Cloud Service Providers (CSPs).

It is easy to confuse FedRAMP and FISMA. Unlike FISMA, FedRAMP is only a guideline, not a law. Still, FedRAMP relies on the same security controls as FISMA from NIST Special Publication 800-53. Consequently, FedRAMP is often called “FISMA for the cloud.”

What is FISMA Compliance?

FISMA is one of the most essential federal data security and privacy standards. It was created to lower the security risk to government information and data while also controlling the federal information security budget.

FISMA compliance entails following a set of rules, regulations, and recommendations to safeguard personal or sensitive information in government systems. FISMA compels all government agencies and their suppliers, service providers, and contractors to strengthen their information security controls following these pre-defined standards.

The Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST) jointly monitor FISMA. NIST creates FISMA standards and guidance, including baseline security criteria, to help agencies and contractors improve their IT security and risk management procedures. The DHS oversees these projects to improve federal information system security.

Who Must be FISMA-Compliant?

Initially, FISMA’s data protection provisions applied solely to U.S. government agencies. While these requirements continue to apply to all federal agencies without exception, they are now also relevant to other organizations. As a result, every third-party contractor or other business that provides services to a federal agency and manages sensitive data on its behalf must likewise comply with FISMA.

As a result, the following organizations must comply with FISMA:

  • Public or private sector organizations have contractual arrangements with government authorities.
  • Public or private organizations that endorse a federal program or get federal funding.
  • State-run programs like Medicaid and Medicare.

What Are the Three Levels of FISMA Compliance?

To comply with FISMA, a business must evaluate its information systems and the nature of its organization to focus on the most critical areas. FISMA defines three levels of possible impact on organizations or individuals in the event of a security breach. Below is an explanation of each impact level of FISMA compliance.

Low Impact

If the loss of confidentiality, integrity, or availability is projected to have limited harm on the organization’s activities, assets, or persons, the potential impact is considered low.

FISMA has defined some categories of Covered Defense Information (CDI) and Controlled Unclassified Information (CUI) as low impact, indicating that the total adverse effects will be minimal if compromised. For example, only minor financial loss or damage to the organization’s assets would be incurred.

The word to remember while assessing which systems and data are low-impact under FISMA is “limited.” Even if compromised, the harm to confidentiality, integrity, or availability of data would be limited. In that case, the compliance measures for those systems or types of data need only meet the low compliance level.

Moderate Impact

The next level of FISMA compliance is moderate impact, meaning the compromise would have more severe consequences than the low level. Moderate FISMA impact severely affects the organization’s operations, government entities, or individuals.

A severe adverse effect means losing confidentiality, integrity, or availability, which could, for example, significantly damage the organization’s assets or cause substantial financial loss.

Moderate impact data and systems can include any CDI or CUI, such as process manuals or financial data. While the consequences of these types of data compromise can be significant, there is no real-world severe damage or loss of life from moderate-level data hacking.

High Impact

High-impact data and systems are some of the most critical assets a contractor or vendor can manage, and they must be protected to the greatest extent possible under FISMA. If high-impact data is compromised, it can have significant consequences for an organization’s assets, government bodies, or individuals.

“Severe or catastrophic adverse effect” can include significant financial loss or damage to the organization’s assets. In the most extreme circumstances, for example, information regarding military strategy or access to crucial energy infrastructure might result in real-world harm and even death.

To achieve FISMA compliance, it’s vital to identify potential high-impact data and systems within your firm. It’s the most crucial factor to consider.

How Do You Become FISMA-Compliant?

FISMA compliance requires organizations to implement enterprise-wide security controls based on NIST guidelines. Several publications cover FISMA guidelines, such as NIST SP 800-53, Federal Information Processing Standards (FIPS) 199, and FIPS 200.

The FISMA requirements are as follows:

  • Information systems inventory. FISMA requires every organization to maintain a complete inventory of information systems. The organization must also document how IT systems are integrated and share data.
  • Categorize information systems and sensitive data. Categorize information systems and data by risk level and ensure that high-risk systems receive the highest level of security. FIPS 199 specifies how a government agency classifies security risks and obligations.
  • Maintain a System Security Plan (SSP). Organizations must establish and maintain an up-to-date security plan as part of their FISMA compliance requirements. The plan includes security regulations and detailed internal security controls. This document is a tool for system owners and auditors to verify the effectiveness of controls.
  • Develop security controls. NIST 800-53 defines 20 security controls that every agency must implement to comply with FISMA. Although FISMA does not require an organization to implement all 20 security controls, it must employ all controls relevant to its operations and systems.
  • Conduct risk assessments. Using the Risk Management Framework (RMF), NIST recommends that risk assessments be three-tiered to identify security threats at the business process, information system, and organizational levels.
  • Obtain accreditation. Certification and accreditation are also referred to as assessment and authorization. The organization will be accredited or authorized after an assessment determines that the information system meets the standards described in NIST SP 800-37, meaning the controls are effectively and consistently operating as intended.
  • Implement continuous monitoring. Ongoing monitoring activities include continuous security controls, status reporting, system change impact analysis, configuration management, and periodic audits. A complete risk assessment should be conducted again if a significant change or update is made to a system to prevent non-compliance.

What Are the Best Practices for FISMA Compliance?

Achieving FISMA compliance doesn’t have to be a complicated process. By following some best practices, you can simplify your organization’s security assessment and accreditation process. In addition, the best practices listed below will assist your company in meeting all applicable FISMA criteria.

Implement a Data Security Plan

Maintain a comprehensive data security plan to classify data, monitor activity, and detect threats to your sensitive data that could lead to a data breach. Create security policies to manage access and categorize assets in your systems. Reference FISMA and applicable NIST guidelines to determine the appropriate security controls.

Keep Up on Changes in FISMA Standards

Reforms to FISMA can have significant implications for your company, so keeping abreast of any publications or changes to FISMA is essential. In addition, always look for chances to adopt a more holistic approach to your overall compliance strategy when you update your procedures to meet new FISMA regulations.

Maintain Documentation of Your FISMA Compliance Efforts

Documenting and retaining pertinent records provides authentication of your FISMA compliance efforts. Maintain evidence of internal audits and save documentation of risk categorization. It’s also beneficial to document controls and measures as they evolve. This information is valuable to auditors as they familiarize themselves with your FISMA journey.

Use ZenGRC for FISMA Compliance

Obtaining FISMA certification can take significant time and effort, mainly if your company still relies on antiquated technologies and spreadsheets to achieve and maintain compliance operations.

Our compliance professionals at ZenGRC can assist you in preparing your FISMA compliance program, streamlining the process, and reducing the workload on your team.

ZenGRC is a single source of truth that ensures your organization is always audit-ready. Policies and procedures are revision-controlled and easy to find in the document repository. Workflow management features offer easy tracking, automated reminders, and audit trails. Insightful reporting and dashboards give visibility to vulnerabilities and high-risk areas. Schedule a demo today!

What is a FedRAMP Certification?

· ·

Cloud service providers (CSPs) that want to compete for U.S. federal government contracts must first obtain FedRAMP certification — akin to a seal of approval from the federal government, that the CSP’s cybersecurity meets basic standards. 

FedRAMP certification benefits small and large CSPs by boosting security, increasing efficiency, and smoothing the path to doing business with U.S. government agencies.

So what is FedRAMP, exactly, and how can your CSP achieve certification? This article will explore those questions. 

What Is FedRAMP?

The Federal Risk and Authorization Management Program, or FedRAMP, standardizes the processes that U.S. government agencies use to evaluate and purchase cloud-based IT services. 

The goal of FedRAMP is to ensure that federal data existing on the cloud is protected to an appropriately high degree. The required FedRAMP level of security is set by legislation. In addition, 14 other statutes and regulations apply, and 19 standards and guidance documents exist that CSPs must follow. In other words, understanding FedRAMP is no easy task.

FedRAMP Certification vs. FedRAMP Compliance

A CSP can approach FedRAMP in two ways: certification or compliance. The two terms are definitely not the same thing.

FedRAMP certification involves undergoing a full security assessment and FedRAMP authorization process under the Joint Authorization Board (JAB). CSPs going this route need to draft a System Security Plan (SSP) that thoroughly documents their security controls, undergo readiness assessments, and work with accredited Third-Party Assessors (3PAOs) to perform required audits and produce a final Security Assessment Report (SAR) for review by the JAB.

Once certified, rigorous continuous monitoring is required, including submitting monthly updates and annual assessments and developing a Plan of Action and Milestones (POA&Ms) to address any vulnerabilities you have. Becoming FedRAMP-certified signals alignment with stringent cloud security standards for government customers.

CSPs can also go the route of FedRAMP compliance. Here, you simply self-attest to FedRAMP security controls without formal 3PAO verification. 

FedRAMP certification delivers more validation (through an external audit) but requires more time and resources. Compliance, on the other hand, can be an interim option to demonstrate baseline security. Both can aid CSPs in instilling trust during competitive federal pursuits.

Why Is FedRAMP Certification Important?

FedRAMP certification is important because without it, you’re not likely to win any business with the U.S. federal government (nor most state and municipal governments, too, since they tend to follow the feds’ lead on cybersecurity protocols).

The FedRAMP Marketplace lists FedRAMP-approved cloud service providers. When federal government agencies want a new cloud solution, they first look to this marketplace. For those agencies, selecting an already authorized product is much easier than starting the approval process with a new cloud provider. You’re far more likely to do business with government agencies when listed in the FedRAMP Marketplace. 

FedRAMP certification can also help you advance your business in the private sector because the FedRAMP Marketplace is open to the public. Many private companies searching for a trusted CSP start by checking which vendors are on the FedRAMP Marketplace.

Some potential clients might need to be educated about FedRAMP, but most larger businesses know about FedRAMP, especially if they do business with the federal government. Requiring FedRAMP certification could become a deal-breaker as you try to close business with more mature companies.

When Is FedRAMP Required?

FedRAMP compliance or certification is required for any CSP offerings intended for adoption by U.S. federal government agencies per mandates from the General Services Administration (GSA).

When a federal agency plans to use a cloud-based product or service for moderate or high-impact data, it must choose a provider that follows FedRAMP standards. CSPs must then either pursue the formal FedRAMP authorization process and certification through the JAB or self-attest to FedRAMP security control implementation. Even for low-impact data usage, federal agencies increasingly expect some FedRAMP alignment from CSPs before procurement. (FedRAMP certification is also essential for any CSP servicing the Department of Defense.) 

Beyond the federal government, state and local agencies also favor FedRAMP-aligned cloud solutions, underlining the standard’s centrality to public sector business.

What Are FedRAMP Compliance Requirements?

To demonstrate FedRAMP compliance, cloud service providers (CSPs) must implement the baseline security controls defined by National Institute of Standards and Technology (NIST) Special Publication 800-53. The core requirements include:

  • Documenting information security in a System Security Plan (SSP)
  • Performing annual self-assessments of deployed security controls
  • Establishing robust configuration management protocols
  • Enabling continuous monitoring of systems and networks
  • Developing detailed incident response and contingency plans
  • Instituting stringent access control mechanisms
  • Providing role-based security training
  • Maintaining detailed audit logs and records

Additionally, based on the chosen CSP compliance path, you may need to publish SSPs to FedRAMP Connect or undergo a 3PAO assessment. Beyond initial compliance, staying current on changing FedRAMP requirements and maintaining validated security over time is mandatory.

What Is the FedRAMP Certification Process?

FedRAMP certification is a long, complex, and potentially expensive process. Unlike FISMA (Federal Information Security Management Act), which allows organizations to perform their own assessments, FedRAMP certification must be performed by a certified 3PAO.

A cloud services provider can get certified in one of two ways, according to FedRAMP.gov:

  • A Joint Authorization Board (JAB) provisional authorization to operate is known as a P-ATO.
  • An Agency Authority to Operate, or an ATO.

Joint Authorization Board (JAB) Provisional Authorization

The Joint Authorization Board consists of representatives from the U.S. Department of Defense (DoD), the U.S. Department of Homeland Security (DHS), and the General Services Administration (GSA). The JAB sets the FedRAMP accreditation standards and reviews authorization packages, including results from the assessments done by the 3PAOs.

In this case, the CSP has to prove a demonstrated demand for its service by many agencies. Therefore, the JAB P-ATO is good for CSPs offering services that multiple agencies might want to use.

Agency Authority to Operate

The second way a CSP can obtain certification is via an Agency Authority to Operate. This is done through a specific agency, which grants the CSP the final Authority To Operate (ATO).

As part of the agency certification or ATO authorization process, a CSP works directly with an agency sponsor, which will review the CSP’s security package. This approach is best for cloud service providers that have developed niche offerings for only a few federal agencies.

To decide which type of security authorization suits your CSP offering, review both processes and consider the system deployment model, technology stack, market demand, and impact level.

Federal agencies categorize CSPs’ cloud service offerings into three impact levels: low, moderate, and high. These levels refer to the severity of potential harm in the event of a breach. The higher the level, the more security and data protection the CSP must provide.

Even if a CSP doesn’t work with government agencies, adopting FedRAMP security controls as part of its business plan will provide potential customers with the peace of mind that comes from knowing they’re working with a provider the U.S. government has carefully vetted.

How long does it take to get FedRAMP certification?

The time necessary to achieve FedRAMP certification isn’t set in stone. Instead, it varies based on several factors.

First is the complexity of the system being certified. Simple systems usually undergo assessment and certification faster than complex ones. Adequate preparation is another crucial factor. 

Another factor is the initial assessment phase conducted by the 3PAO. This evaluation period, and how promptly an organization responds to feedback, can affect the overall timeline significantly.

All that said, a good rule of thumb is that FedRAMP certification typically takes six to 18 months — but that estimate can vary (greatly) based on the unique characteristics of the system seeking certification, the responsiveness of the organization undergoing the process, and the efficiency of the assessment and approval phases.

FedRAMP Certification Best Practices

CSPs can follow several best practices to demonstrate their cybersecurity maturity and improve the odds that an Authorizing Official (AO) will approve your offering.

Select and Implement Technical Security Controls

Implement as many technical FedRAMP restrictions as possible. Remember, the AO will be trying to find reasons to doubt your security controls. (This is especially true if you’re using third-party tools and have a lot of API connections to different services.)

Pipeline Security for CI/CD

In theory, the Continuous Integration Continuous Deployment (CI/CD) software development method should improve and simplify security by incorporating automated testing early in development. Unfortunately, too many firms use CI/CD as an excuse to release shoddy code based solely on the results of a few difficult-to-configure automated security tests.

As a result, AOs have a healthy skepticism about CI/CD methodologies. Development teams can help AOs be more comfortable with this software development and deployment approach by demonstrating increased security maturity across the development pipeline.

Avoid Infrastructure-as-Code (IaC)-based approaches

Infrastructure-as-Code (IaC)-based approaches generally make dealing with massive infrastructures and deployments easier. That said, orchestration technologies such as CloudFormation, Azure ARM, Terraform, or similar solutions to deploy templates can run the risk of spreading known vulnerabilities throughout your infrastructure.

As a result, be aware that an IaC-based strategy will be met skeptically. Document and be prepared to address all IaC templates in use, how they’re chosen and managed, what images those templates refer to, and why those images should be trusted. You’ll also have to show that you have a solid strategy for scanning templates and recognizing their weaknesses.

Formal Threat Modeling

Software threat modeling is a field significantly more advanced than standard risk assessment. Potential attack techniques are linked to system operations and specific code parts in threat modeling.

For example, your team should consider how every stage in user authentication could be exploited or whether your software is subject to more obscure injection-type flaws. You can also use the threat modeling approach to show you know your IaC templates and security-related configurations inside and out.

This level of modeling demonstrates your understanding of your infrastructure and code.

Postponing Development Deployments to Federal Clients

Many CSPs believe that applying FedRAMP regulations uniformly across their federal and non-federal customers is too tricky. As a result, they create dedicated settings for government clients, and the commercial production environment serves as a test environment. 

While this may delay the delivery of features to federal clients, it often lowers an AO’s perceived risk. If you go this route, apply security patches to both environments as soon as they become available.

Manage FedRAMP Compliance With ZenGRC

Officials from the Defense Department have stated that the objective of FedRAMP certification is to keep compliance costs low. ZenGRC can help you achieve cost-effective compliance with complicated cloud security standards and frameworks.

ZenGRC templates make self-assessments easier. Our central dashboard gives you a unified picture of all your compliance frameworks, revealing where gaps in your cybersecurity program exist and how to solve them.

Schedule a demo today to see how ZenGRC can help you achieve “Zen-mode” compliance!

NIST and FedRAMP: A Brief Overview

· ·

If you are new to the U.S. government’s rules for federal government contractors, there can be a host of tricky compliance terms to navigate. So here is a quick primer on two of the most important terms a CISO is likely to encounter: NIST and FedRAMP.

NIST Background

The National Institute of Standards and Technology (NIST) produces standards and risk assessment frameworks for a wide range of subjects, including cybersecurity. These documents typically take the form of Special Publications (SP).

For example, the NIST SP 800 series deals with computer security. Specifically, NIST 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, details the security and privacy controls that must be in place for information systems in the U.S. government.

Other publications in the SP 800 series cover issues such as including risk management (SP 800-37 and SP 800-30,) and business continuity planning (SP 800-34).

Why Is NIST Important?

The Federal Information Security Management Act of 2002 (FISMA) and Federal Information Security Modernization Act of 2014 (also called FISMA, and which updates the original law) require U.S. government agencies to implement information security controls using a risk-based approach to information security and cybersecurity assessment. Each agency must report its compliance annually to the Office of Management and Budget (OMB) — and the primary framework used for FISMA compliance is detailed in NIST SP 800-53.

In other words, to be a government contractor, your business must comply with NIST standards to meet annual FISMA compliance requirements. In addition, contractors managing IT systems on behalf of government agencies may also be required to report their compliance with FISMA and other security standards, such as the PCI-DSS standard for protecting credit card data.

How FedRAMP Enters the Compliance Picture

The Federal Risk and Authorization Management Program (FedRAMP) helps U.S. government agencies to reap the benefits of cloud services while minimizing duplicative information security work. It essentially serves as a seal of approval for cloud service providers (CSPs); when a CSP meets FedRAMP standards, federal agencies can use that CSP without the exhaustive due diligence and testing that might typically happen.

CSPs offer cloud products, such as IaaS, PaaS, and SaaS, for sale to the government. These systems must meet the requirements of FISMA; FedRAMP provides a way to streamline the security and risk assessment process for maximum efficiency, so organizations can engage in a cloud-first strategy.

FedRAMP relies on several of the NIST SP documents, including 800-53 as a library of system controls and 800-37 for risk management. The streamlining occurs with a focus on which controls the CSP manages and which are managed by the agency purchasing the cloud services.

For example, a SaaS provider will offer the same shared physical security protections to all users due to the use of a single data center or hosting facility, leading to a low risk for these users. Conversely, each acquiring agency is responsible for implementing appropriate password controls which are sufficiently secure.

A CSP that wants to sell services to the U.S. government must identify which controls are relevant to the services the CSP is selling, and then engage a qualified third-party assessment organization (3PAO) to conduct a risk assessment. Once this assessment has been conducted on behalf of one government agency, other agencies may rely on the report of that assessment without having to conduct their own — saving time and money.

How Are NIST and FedRAMP Connected?

NIST provides standards and guidelines around risk management, information security, and privacy controls for information systems used by the U.S. government. FedRAMP employs the NIST guidelines to enable U.S. government agencies to use cloud services securely and efficiently.

In other words, if you’re a cloud service provider and want to bid on government contracts, you must comply with NIST standards so that you can be part of the FedRAMP program and have a much easier time offering your services to U.S. government customers.

While NIST and FedRAMP compliance are not required for private organizations that don’t bid on federal government contracts, following those standards is still a wise idea for any organization that wants to take a smart approach to cloud-based services and cybersecurity.

Manage NIST and FedRAMP Compliance with RiskOptics

RiskOptics makes managing both NIST and FedRAMP compliance pain-free. The RiskOptics ROAR Platform has FedRAMP and NIST SP 800-53 controls pre-loaded, so you can leverage existing work from compliance with other regulations to get FedRAMP compliant. You can also prepare evidence for your 3PAO quickly and more easily with the audit module.

To learn more about managing NIST and FedRAMP controls in our comprehensive risk management platform, schedule a demo today.