Federal Information Security Modernization Act (FISMA) Compliance
FISMA is an acronym that stands for the Federal Information Security Modernization Act of 2014. The original FISMA stood for the Federal Information Security Management Act of 2002.
FISMA compliance is based on a comprehensive framework designed to protect government information, operations, and assets from natural disasters or cybersecurity threats.
Why FISMA Exists
FISMA compliance rules are a subset of the E-Government Act of 2002, which has a stated goal to “enhance the management and promotion of electronic Government services and processes by establishing a Federal Chief Information Officer within the Office of Management and Budget, and by establishing a broad framework of measures that require using Internet-based information technology to enhance citizen access to Government information and services, and for other purposes.”
FISMA, in Title III of the E-Government Act, was called the Federal Information Security Management Act of 2002 and “requires each federal agency to develop, document, and implement an agency-wide security program. The agency’s security program should provide security for the information and the information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other sources.” The Federal Information Security Modernization Act of 2014, the current version of FISMA, expands the reach to provide broader protections with thorough information security plans and safeguards.
The National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) are assigned specific responsibilities by FISMA to strengthen information security systems. The head of each agency is required to implement policies and procedures to cost-effectively reduce information technology security risks to an acceptable level.
Among the directives included in FISMA are the following.
- Authorizes U.S. Department of Homeland Security (DHS) technology deployments to other agencies’ networks upon request
- Established the federal information security incident center, which is within DHS as part of US-CERT (United States Computer Emergency Readiness Team)
- Gives the DHS authority to administer the implementation of information security policies for federal, state, and civilian organizations
- Requires organizations to notify and consult with US-CERT regarding data breaches involving federal agencies, contractors, or other sources
- Requires the OMB to “eliminate inefficient and wasteful reporting”
Who Must Comply with FISMA?
When it was initially announced, FISMA applied only to the federal agencies. However, the law has expanded to include state agencies, such as Medicare and Medicaid.
In 2014 FISMA changed that requirement to include all companies that work with federal agencies, including public sector organizations. This means that any organization that supports a federal program, provides services to a federal agency, or receives grant money from federal agencies must adhere to FISMA compliance standards. The goal is to reduce the potential risk of unauthorized federal data use, disclosure, or loss, regardless of where the threat might originate.
How to Become FISMA Compliant
To be FISMA compliant, organizations must have data security controls in place, guided by the NIST framework. These include:
The Federal Risk and Authorization Management Program (FedRAMP) standardizes cloud-computing services to meet FISMA compliance requirements. All software vendors that work with U.S. government agencies are required to abide by the FedRAMP authorization programs.
- Information system inventory
All organizations must maintain an inventory of all systems that are in use, as well as their associated integrations.
- Risk assessments
The Risk Management Framework (RMF) must be used to perform a three-tiered risk assessment based on the NIST SP 800-30 publication.
- Risk categorization
Assure compliance with NIST standards for categorizing federal information systems (FIPS 199).
- Security controls
Adopt the 20 security control measures to protect data outlined in NIST 800-53.
- System security plan
Develop and regularly update a security plan that ensures the required protections (i.e., confidentiality, integrity, authenticity, non-repudiation, availability of information, and information systems) are in place. It should include:
- Assignment of responsibilities
- Periodic assessments of risk
- Periodic testing and evaluation
- Policies and procedures
- Security awareness training
All organizations that access federal data are required to conduct annual security reviews to demonstrate that they can maintain, monitor, and implement systems to meet FISMA compliance standards. FISMA Assessment and Authorization (A&A) is a four-phase process.
1. Initiation phase
Includes preparation, resource identification, and system analysis
2. Security certification phase
Includes security control assessment (i.e., prepare, conduct, and document) and certification documentation (i.e., informs the information system owner of vulnerable areas in the system and provides recommendations)
3. Security accreditation phase
Includes accreditation decision and documentation
4. Continuous monitoring phase
Includes system configuration, security management, monitoring, and reporting
Benefits of FISMA Compliance
There are a number of benefits associated with FISMA compliance:
Requirements for a stringent set of data protection criteria and standards significantly enhance protection and provide the necessary programs to support recovery of critical systems in an unexpected incident.
- Reduced risk
Requirements for risk assessments and monitoring proactively identify risks.
Part of FISMA 2014 included the elimination of unnecessary reporting.
- Increased revenue opportunities
- Meeting requirements for FISMA compliance allows organizations to acquire new business from other federal agencies.
Penalties for FISMA Compliance Violations
For government agencies and private-sector vendors, failure to comply with FISMA could result in:
- Censure by U.S. Congress
- Government hearings
- Loss of future contracts
- Poor cybersecurity infrastructure
- Reduction or elimination of federal funding
- Reputational damage
Who Oversees FISMA Compliance?
There are two regulatory bodies that work with FISMA:
1. NIST, which has the authority to create programs that bolster I.T. security and risk management practices.
2. DHS, which is responsible for administering the implementation of programs created by NIST in order to maximize federal information system security.
Best Practices for FISMA Compliance
- Categorize information that requires protection
- Classify data based on its level of sensitivity as it is created
- Encrypt sensitive data
- Establish baseline controls for the minimum necessary standard of security
- Implement and document security controls
- Implement monitoring practices for security systems
- Stay up to date with FISMA standards, NIST guidelines, and other security best practices
- Perform risk assessments to optimize the security controls based on how data is used, stored, managed, and transmitted
FISMA Compliance Finetunes Data Security
Attaining FISMA compliance can bring monetary benefits, such as enabling private sector contractors to conduct business with federal agencies. FISMA compliance also boosts security to empower organizations to adhere to some of the highest standards and best practices. And, perhaps most importantly, FISMA compliance ensures proactive protection with ongoing risk assessment and management.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.
Last Updated: 10h March, 2022