Government compliance standards can seem like a veritable alphabet soup. Making matters worse, many of them, like FedRAMP and FISMA seem to overlap, and many organizations aren’t sure which rules are mandatory to do business. With the rise of cloud computing, there has been an increased emphasis within the government to transition to commercial cloud services. It is mandated within the government to move to cloud-based services if they are available to meet the mission need of the federal agency.
Two standards that seem to cause the most questions are FISMA and FedRAMP.
FedRAMP and FISMA
FedRAMP and FISMA are separate initiatives that are closely tied by NIST 800-53A controls. The two have nearly identical goals: to protect federal government systems and data. Yet, with agencies implementing increasingly diverse environments, including a dramatic shift to cloud computing, it is equally essential to ensure the security of data in the cloud as it is the security of data on-premises—and to do so with specific requirements relative to each environment.
What is FISMA?
FISMA began 2002 as the Federal Information Security Management Act, then updated in 2014 to the Federal Information Security Modernization Act. FISMA applies to:
- All federal government agencies
- State agencies that administer federal programs, such as Medicare/Medicaid and student loans
- All private-sector firms that support federal programs sell services to the federal government or receive federal grant money
In a nutshell, FISMA requires the implementation of information security controls that utilize a risk-based approach. The primary framework for FISMA compliance is NIST 800-53. Organizations that demonstrate FISMA compliance are awarded an Authority to Operate (ATO) from the federal agency they are doing business with. This ATO applies only to that particular agency; if an organization has contracts with multiple federal agencies, they must obtain an ATO from each one. The logic behind this is that because every federal agency has different data security needs and vulnerabilities, different controls may apply. A FISMA assessment may be performed directly by the agency granting the ATO or a third-party security assessor.
What is FedRAMP?
The Federal Risk and Authorization Management Program (FedRAMP) was designed to support the federal government’s “cloud-first” initiative by making it easier for federal agencies to contract with cloud providers. Like FISMA, the controls outlined in FedRAMP are based on NIST 800-53.
Unlike FISMA, which requires organizations to seek an ATO from each federal agency, a FedRAMP ATO qualifies a cloud service provider to do business with any federal agency. Because FedRAMP ATO’s are more far-reaching, the certification process is far more rigorous. It must also be performed by a certified third-party assessment organization (3PAO) such as Lazarus Alliance. Finally, FedRAMP is more specific than FISMA. FISMA applies to information systems security in general, while FedRAMP applies only to cloud service providers and federal agencies that plan to use cloud service providers.
Since the FedRAMP certification process is so demanding, a FedRAMP ATO is beneficial even for cloud service providers that do not currently work with the federal government. Private-sector companies are aware of how difficult it is to comply with FedRAMP and recognize it as a gold standard of cloud security.
However, this is not to say the FISMA compliance process is “easy.” Organizations need to map the specific NIST 800-53 controls to the FISMA requirements of each agency they wish to do business. There are hundreds of different controls, and figuring out which ones apply in each situation can be quite complicated.
What is NIST?
NIST has been mentioned quite a bit in this post, so what is it? The National Institute of Standards and Technology (NIST) is a non-regulatory agency that is part of the United States Department of Commerce. Its mission is “To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.”
Among many other responsibilities, NIST creates and promotes information security standards for the federal government. These standards are outlined in NIST’s SP-800 series of publications, including NIST SP 800-53 (also known as NIST 800-53). This describes security controls for federal information systems and organizations and documents security controls for all federal information systems, except those designed for national security. Federal agencies must comply with NIST guidelines and standards within one year of their publication.
The controls outlined in NIST 800-53 are the basis for FISMA as well as FedRAMP, DFARS, CJIS, HIPAA, and others.
Federal agencies looking for a FedRAMP-compliant product or service will likely also expect it to be FISMA-compliant. Cloud service providers should comply with both FISMA and FedRAMP regulations to maintain an ATO from the U.S. government.
The cybersecurity experts at Continuum GRC have in-depth knowledge of the cybersecurity field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies worldwide sustain proactive cybersecurity programs.
Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.
Want to learn more?