What Does it Mean to be FISMA Compliant?
The Federal Information Security Act, or FISMA, is a comprehensive cybersecurity law that has a widespread impact on federal agencies, state agencies handling federal programs and contractors and service providers working with these agencies. As such, its effect is wide-ranging, and FISMA requirements often overlap or inform other, more specific compliance frameworks.
However, at its core, FISMA dictates some of the basic and most fundamental cybersecurity practices that governed organizations must adhere to. Learn more about what it means to meet FISMA compliance.
What is FISMA?
FISMA is a smaller part of the larger E-Government Act of 2002. Congress passed this law to modernize U.S. cybersecurity and push government agencies into digital systems to improve data privacy, integrity, and efficiency. As part of this law, Congress rightly included FISMA to define security requirements, critical for maintaining IT systems containing sensitive data.
In 2014, Congress extended and amended FISMA with the Federal Information Security Modernization Act (also FISMA) to modify the original laws to meet modern security challenges.
Under FISMA, security guidelines and requirements are drafted and updated by the National Institute of Standards and Technology (NIST), an organization that publishes policies and best practices covering diverse topics like IT security controls, risk management practices, encryption requirements and more.
The central tenets of FISMA are laid out in the “CIA triad”:
- Confidentiality: An agency or contractor must implement security measures to ensure that sensitive data remain private from unauthorized handling.
- Integrity: IT systems and audits must ensure that information is not deleted or manipulated outside of authorized uses and that data corruption is avoided.
- Accessibility: While remaining private and secure, information should be available for lawful and authorized use by government or contractor employees.
Penalties for noncompliance with FISMA can vary from agency to agency, depending on the situation:
- A government agency that fails to comply can lose funding, face censure by Congress, or take work from associated government employees.
- A contractor that fails to comply can also lose funding, contracts or the ability to enter into future government contracts.
These penalties come with the risk of a data breach, should noncompliance lead to a successful attack.
What Documents Define FISMA Compliance Requirements?
Several documents outline the core requirements of FISMA compliance. These documents include:
- NIST Special Publication 800-53, “Security and Privacy Controls for Information Systems and Organizations”: This document includes an inventory of security and privacy controls that organizations must implement as part of their compliance. An organization will usually not be expected to implement all of these controls, but a cross-section based on their security or compliance needs.
- NIST Special Publication 800-30, “Guide for Conducting Risk Assessments”: This document outlines best practices for conducting risk assessments of federal IT systems as part of the Risk Management Framework (RMF).
- Federal Information Processing Standards (FIPS) 199, “Standards for Security Categorization of Federal Information Systems”: This document categorizes federal systems based on the impact a breach of their data would have on that agency and constituents. This can span low-impact systems (with slight damage) to high-impact systems (potentially catastrophic injury).
- FIPS 200, “Minimum Security Requirements for Federal Information and Information Systems”: This document, combined with FIPS 199 and NIST 800-53, dictates the minimum security requirements an organization must meet for FISMA.
- NIST Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”: For contractors managing Controlled Unclassified Information (CUI), FISMA compliance may involve implementing controls listed in this document, rather than NIST 800-53.
What Basics Does My Company Have to Meet for FISMA Compliance?
While regulations, documents and agencies all play a role in FISMA compliance, at the end of the day, agencies and contractors must follow some basic best practices.
Some of these steps include:
- Inventory System Resources: Any agency or government contractor must create an up-to-date inventory of all IT systems and resources.
- Implement Security Controls: Depending on the organization’s security impact level and working relationships, they must fully implement required controls from NIST 800-53 or NIST 800-171. Basic FISMA calls for implementing at least 20 controls from 800-53 for most agencies and contractors.
- Create a System Security Plan: FISMA requires organizations to plan, create, and maintain security plans on federal IT systems.
- Conduct Risk Assessments: Agencies and contractors must regularly conduct risk assessments under the RMF at any point that their IT systems change. Many compliance requirements also promote the use of risk assessments to plan security measures above and beyond baseline requirements.
- Accreditation: Organizations must undergo annual certification reviews to achieve and maintain FISMA compliance.
The best approach that most organizations undertake is to plan for these general requirements, understand the NIST and FIPS documents, and work with professionals that can help guide them through FISMA certification.
Work With FISMA Compliance Experts
FISMA compliance isn’t and doesn’t have to be a solo effort. While it always suits an organization to understand cybersecurity requirements, modern cybersecurity challenges are better addressed with expert help. Continuum GRC conducts regular, automated audits for compliance with NIST standards like NIST 800-53 and 800-171 and the overarching Cybersecurity Framework (CSF) and Risk Management Framework.
Ready to Start Automating Security Audits?
Call Continuum GRC at 1-888-896-6207 or complete the form below.