FedRAMP vs. FISMA Compliance: What is the Difference?
Working with federal agencies can be a big boon for enterprise and SMB service providers. Not only are they working in a lucrative and challenging space, but they can also provide critical infrastructural support to the operation and defense of our country. The regulations, however, can prove a nightmare. For example, should you adhere to FISMA vs. FedRAMP? What is NIST? Who can I work with to help me get started?
Here, we’ll answer one of the more basic and important questions: What is the difference between FedRAMP and FISMA authorization? Depending on the type of services you offer, you could be working through a set of similar, yet slightly modified, regulatory obligations.
What is FISMA?
The Federal Information Security Management Act (FISMA) was passed by Congress in 2002 to address the pressing need for IT standards and cybersecurity regulations for government agencies and contractors.
More specifically, FISMA dictates those individual agencies must adhere to minimum standards while at the same time developing and implementing their own, unique information security plans. These plans must address the needs of that agency within the larger FISMA regulatory infrastructure and demonstrate how that agency addresses those needs. Any federal agency, state agency that administers federal programs or vendor working with federal agencies or programs are required to adhere to FISMA guidelines.
In 2014, FISMA was updated through the Federal Information Security Modernization Act (also FISMA) to update security regulations to address modern threats, including an emphasis on continuous monitoring and cloud computing.
Guidelines for FISMA compliance are set in documents published by FISMA governing bodies and the National Institute of Standards and Technology (NIST).
What is FedRAMP?
The Federal Risk and Management Program (FedRAMP) was enacted in 2011 as a government framework much like FISMA. Instead of focusing on IT service generally, however, FedRAMP emphasizes security and risk management for Cloud Service Providers (CSPs) working with federal agencies.
FedRAMP, while following much of the same regulatory framework as FISMA (see more below), has its own governing body through the combined efforts of the Office of Management and Budget (OMB), the FedRAMP Program Management Office (PMO) and a FedRAMP Joint Authorization Board (JAB) comprised of security and intelligence experts from the Department of Defense (DoD), the Department of Homeland Security, the OMB, the General Services Administration (GSA) and NIST.
What is the Difference Between FedRAMP and FISMA?
The short answer is that they are somewhat different when it comes to their scope and application. These differences include:
- Application: FedRAMP is a specific framework applied to cloud platforms and th
e vendors that supply them. While a cloud vendor might very likely be compliant with FISMA regulations, they must be 100% compliant with FedRAMP requirements before working with any federal agency.
- Scope: When companies achieve FISMA compliance, they do so along with the guidelines of specific agencies. That is, as agencies are responsible for their own compliance plans and implementations, an IT provider must achieve compliance for that specific agency. FedRAMP, on the other hand, offers more avenues for general compliance across multiple agencies, even if that compliance might require slight changes based on the needs of those agencies.
- Assessment: Under FISMA, vendors and agencies must implement minimum required controls and demonstrate that implementation through reporting and documentation. Under FedRAMP, CSPs undergo assessments and continuous monitoring with a Third-Party Assessment Organization (3PAO) that guides and audits the vendor.
- Applicability: All agencies and vendors must undergo FISMA authorization. Only contractors or subcontractors offering cloud services must undergo FedRAMP authorization.
FIPS 199 and NIST 800-53
While there are differences between the two frameworks, they also stem from the same core regulations. This means that managing both FISMA and FedRAMP authorization can be easier when understanding these guidelines.
Generally, the two core documents for both FISMA and FedRAMP are:
- NIST Special Publication 800-53: This document covers the security controls and implementation guidelines that agencies and contractors must meet under both FISMA and FedRAMP. This includes requirements that fall under:
- Technical controls
- Risk assessment and management
- Data governance
- Security Planning
- Inventory, auditing and reporting
- FIPS 199: The Standards for Security Categorization of Federal Information and Information Systems (FIPS) document 199 outlines categories for security levels that different agencies and vendors must meet to be compliant. These categories include:
- Low Impact: For organizations handling data that, in cases of theft or loss, would cause low or limited impact to constituents or the functioning of the agency.
- Moderate Impact: For organizations handling data that, in cases of theft or loss, would cause significant impact to constituents or the functioning of the agency, including potential bodily harm or financial damages.
- High Impact: For organizations handling data that, in cases of theft or loss, would cause severe damages to constituents or the functioning of the agency, up to and including severe bodily harm (including death), significant financial loss, or more. This includes private medical data.
Use Automated Auditing Tools with Continuum GRC
With the similarities between FISMA and FedRAMP, vendors working in the federal space can benefit from an automated auditing and compliance partner that can streamline assessment on both ends. Continuum GRC provides that automation with expert assessors and cloud auditing tools that can reduce an audit from a task that takes weeks or months to one that only takes days.
Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.