Like most information technology executives these days, when you hear the words compliance and audit — as the CEO, CFO or general counsel is walking your way — are you thinking, “What is it this time? Am I on the hook for another analysis and report for the queue?”
On any given day, you’ve got at least one request for a deep dive into a system or the information stored within. Yet with the security breaches we now see coming through the Internet, opening our information assets to theft and data corruption, cybersecurity compliance commands our attention. Accelerated enforcement of information security standards today falls on the heels of standards introduction, which is new.
Since May 2017, U.S. federal government agencies and organizations doing business with them have been doing double time to adhere to the president’s executive order for immediate implementation of the highest standards in cybersecurity the U.S. has seen to date. Agencies completed and submitted the first audits for compliance with the Federal Information Security Modernization Act (FISMA) standards by the end of 2018.
In simple language, the executive order states a value that is not new, but renews an emphasis within a cybersecurity context:
“An effective enterprise risk management program promotes a common understanding for recognizing and describing potential risks that can impact an agency’s mission and the delivery of services to the public.”
One thing we have known for some time is that standards for asset and information protection must extend to the locks and keys at the doors to our information systems. These complex doors need to be structured, defined and documented protections.
Cybersecurity Standards and Policy Framework
Originally introduced as a set of guidelines in 2002 after the Internet became more widely used and information sharing crossed borders, the FISMA was modernized and reintroduced by presidential executive order in 2014. Since then, FISMA standards have matured with the development of the National Institute of Standards and Technology (NIST) Cybersecurity Framework and Department of Homeland Security (DHS) CIO FISMA Metrics. Also since then, the Internet has become an unexpected daily source of information security breaches.
The NIST FISMA Cybersecurity Framework (CSF) emerged as a set of voluntary standards, best practices and recommendations to improve cybersecurity at an organizational level. NIST wrote the CSF in 2014 with input from more than 3,000 people from industry, academia and government. The goal is to create a common language and set of standards around cybersecurity, as many standards and requirements before the FISMA CSF were laid out in a fragmented way.
Most recently, the European Union announced with urgency an unprecedented standard of protection around individual EU citizen information to be required starting May 2018. Europe’s General Data Protection Regulation (GDPR) represents the toughest requirements to meet around personal data. GDPR, adopted in 2016, was updated for compliance enforcement this year.
In May 2018, companies that do business in EU member nations will have to report data security breaches to EU nation representatives within three days of the occurrence. The reports must include details of the citizens whose data was involved. Organizations are concerned this is not enough time for an investigative cycle that typically takes at least two months. The GDPR also regulates the movement of personal data outside the EU.
Fragmented Development of Cybersecurity Policy and Compliance
While these two overarching governing actions in the U.S. and U.K. have placed recent requirements for risk management controls on information assets and information technology processes, the following have developed over time to address management and security of specific types of data.
- Health Insurance Portability and Accountability Act of 1996 (HIPAA): U.S. legislation that set privacy and security standards to protect individuals’ personal medical records and other health information provided to health care providers. Fines for HIPAA compliance violations can reach the hundreds of thousands. The Department of Health and Human Services enforces the privacy and security rules.
- Sarbanes-Oxley Act of 2002 (abbreviated SOX): Legislation passed by the U.S. Congress which requires internal controls for assuring the accuracy of financial reports and disclosures, and mandates audits on the controls. Fines and penalties for failing SOX compliance can run up to $5 million and jail time up to 20 years. The U.S. Securities and Exchange Commission administers the act.
- Payment Card Industry Data Security Standard, also known as PCI-DSS: A standard all organizations, including online retailers, must follow when storing, processing and transmitting customer credit card data. It’s meant to improve payment account security through the transaction process. The Payment Card Industry Security Standards Council developed and maintains the standard. Payment card brands and card owners are responsible for enforcing PCI-DSS compliance.
- Good Practice Guide 13, or GPG13: Known as protective monitoring, this is a United Kingdom government-recommended set of 12 controls — processes and technology — to improve company risk management and response to information systems attacks. The U.K. Protective Monitoring Solution requires a Security Information and Event Management Solution. The Security Policy Framework from the U.K. Cabinet Office sets mandatory standards for GPG13 compliance and provides guidance on risk management, compliance and assurance programs.
- U.S. State Laws: Individual state cybersecurity laws and proposed legislation focus on security breach notification, added cybersecurity for energy and critical infrastructure, identity theft and data disposal practices. Some of the state laws attempt to codify aspects of the FISMA.
Compliance enforcement can vary from voluntary to government- and industry-codified audits. In some of the FISMA audit reports submitted in 2017 by cabinet agencies, comments and suggestions were made to consolidate reporting for various audits related to cybersecurity into the FISMA compliance audit reports. Agencies cited a lack of IT staff to assign to multiple audits and the opportunity cost to fulfilling core IT responsibilities in support of agency mission and service delivery.
What Does Cybersecurity Compliance in 2018 Mean?
Be prepared for an update to your information system’s alphabet soup. Chief information officers, chief executive officers and other C-level executives will be learning abbreviations used in federal government agencies, and standards have glossaries to help.
Cybersecurity compliance in the U.S. means private and public organizations that do business with the federal government or receive funds from the federal government must institute the FISMA standards as defined by the NIST Cybersecurity Framework. Agencies and organizations must be able to show specific documentation, policies, procedures and defined processes.
The framework addresses critical infrastructure, which is defined as systems and assets whose incapacity or destruction would have a debilitating impact on security, national economic security, national public health or safety or any combination of those matters. Included would be utilities providing energy and water, as well as sectors that provide transportation, financial services, communications, health care, food and agriculture, chemical facilities, dams, key manufacturers, emergency services and others.
For federal agencies that have completed a cybersecurity compliance audit under FISMA, the process has taken four to six months and produced audit reports of around 50 pages for each agency.
New compliance requirements have impacted small to large organizations, as many work with government agencies and their information systems. At its core, cybersecurity compliance for your organization is about categorizing important and sensitive information and establishing a methodology for protecting each category against internal vulnerabilities and external break-ins.
Cybersecurity Compliance as a Best Practice
Key to cybersecurity compliance and the audit process is to recognize the cybersecurity framework approach as common sense — a matter of security and executive management best practices. It’s about having a carefully thought-out plan about your risks, how your organization will respond to a threat or breach and the team responsible for action.
FISMA emphasizes the agency-wide responsibility of the chief information officer. The responsibility of the federal government agencies’ Office of the CIO is clearly to develop, implement and maintain a security program. Programs are required to assess risk and provide security for the operations and assets of programs and systems under the agency’s control.
At organizations interfacing and doing business with the federal government, the CIO would be a central point for overseeing the network operations, compliance and risk management of secure information management. For smaller organizations that do not have a designated CIO, an external consultant or similarly skilled person may fulfill the responsibilities in a part-time capacity.
Many CIOs and individuals assigned to security and network management roles within organizations might already have practices for collecting and monitoring data. Especially for organizations that have experienced a security breach at some point, IT managers know the identification of a breach requires collecting data — sometimes large amounts — to analyze and compare normal versus irregular activities.
Best practice encourages standard policies, procedures and processes that place us in the position of being proactive and responsive, rather than reactive, and having to shut down operations.
Security threat assessment has required the collection of comprehensive data across multiple levels. This includes real-time events, log files, data from applications, files systems, firewalls and scanners. Experience shows us data that’s readily available allows us to respond quickly while having no records can make response and recovery almost impossible. FISMA compliance instills data collection as part of security policy, procedure and process, so organizations can respond more quickly and prevent loss or being forced out of business.
In accordance with FISMA, federal agencies must demonstrate compliance by completing:
- annual agency program reviews,
- annual Inspector General (IG) evaluations,
- agency reporting to the U.S. Office of Management and Budget (OMB) on the results of IG evaluations for unclassified systems and
- an annual OMB report to Congress summarizing the material received from agencies.
Federal government agencies, state government agencies involved in federal programs and their contractors are required to complete FISMA cybersecurity compliance audits, including organizations that receive federal grant funds.
With the fiscal year 2017 IG FISMA Reporting Metrics issued by the DHS Office of Cybersecurity and Communications, a “report card” was established for cybersecurity risk measures related to national security. The metrics provide a consistent form and format for agencies to report FISMA audit results to DHS and identify reporting topics that relate to specific agency responsibilities outlined in FISMA.
The Cost of Non-Compliance
While FISMA may not have penalties for non-compliance, the effects of non-compliance or not following a standard can cost an organization. These costs could include having to shut down temporarily or permanently in a cyber-attack scenario. One need only look at recent security breaches to companies like Equifax and the Office of Personnel Management to understand how organizations can halt daily operations, lose revenue and pay high remediation costs.
Examples of other compliance standards include HIPAA privacy and security. Violations of HIPAA by health care providers can result in civil and criminal penalties. One standard that protects against the knowing misuse of individually identifiable health information can result in fines up to $250,000 or up to 10 years in prison. Multiple violations of the same standard in a calendar year can run up to $25,000 in fines for each violation.
PCI-DSS-compliant retail companies must use a firewall between a wireless network and the cardholder data repository, use the latest security and authentication, change default settings for wired privacy keys, and use a network intrusion detection system. Fines for not complying can range from $25,000 per month for the largest retailers to $5,000 per month for the smallest. In the event of a data breach, per-incident fines can go as high as $500,000. Chronic non-compliance can result in the revocation of the retailer’s credit-card processing privileges.
What Is a Cybersecurity Compliance Audit?
Essentially, the FISMA compliance audit consists of an annual agency cybersecurity program review which is evaluated by the Inspector General for government agencies, for evidence that the agency has applied FISMA to its information systems. The Inspector General provides results to the U.S. Office of Management and Business for unclassified systems, who then report to Congress.
For contractors and state government agencies, audits under the framework may be performed by private consultants that provide compliance audit services/reporting or government agencies.
An authorizing official (AO) who is a senior official or executive would be granted the authority to assess a FISMA-regulated system. The AO evaluates the controls and risks and identifies as acceptable or unacceptable the risk to organizational operations, assets, individuals or other organizations, or the nation.
For the audit report, an organization provides documentation that standards are in use, with most attention to NIST Special Publication (SP) 800-53 and SP 800-137. An accurate inventory list of information systems would be itemized to include:
- Standard data elements used to develop and maintain an up-to-date inventory of hardware assets connected to the organization’s network, software and licenses
- Cloud systems, public-facing websites, third-party systems
- A list of integrations among systems, especially as applied to those using federal data
- Categorization by risk level of each information system and set of information
- The security plan with security controls, current policies and procedures and a general timetable for future control implementation
- Security plans for personnel and their roles and responsibilities
- Security control implementation across the organization, awareness and training, contingency planning, maintenance, incident response and risk assessment
- Risk assessment with detailed categories and levels, identified as processing or storing active government data, prioritized relative to mission and business function importance
The Office of Management and Business— in conjunction with additional security requirements under FISMA — requires periodic FISMA certification and accreditation. SP 800-37 outlines a Risk Management Framework that implements a continuous monitoring process and proof of compliance.
Cybersecurity compliance is reviewed on an annual basis at a minimum. Federal agencies must provide reports to Congress by March 1, which may determine their needs from and timelines for state agencies and contractors. Real-time system information must be provided to FISMA auditors at the time of review.
The NIST Cybersecurity Framework outlines a model for assessment of your organization’s level of ability to identify, protect, detect, respond to and recover from a cybersecurity threat. The process requires making:
- Executive risk determination to include external-facing, corporate assets, non-technical/general and reputation/public relations
- IT department risk determination to include internal facing, network assets, technical/specific
Depending on the size of the organization, a select set of the organization’s information management systems will be inspected against these evaluation criteria.
The final report from an audit inspection itemizes findings, prior year conditions, recommendations and status. Findings can include risk management and other activities that are not compliant with FISMA. Findings can also include activities that are not compliant with the organization’s own policies. Weaknesses may also be itemized without specific recommendations in the audit report.
The audit process is part of a continuous plan that tracks progress toward, or implementation and closure of, recommendations at each review or audit. The agency individuals responsible for cybersecurity programs and compliance document their management responses to each itemized recommendation.
What Items Should Be Reviewed During a Cybersecurity Compliance Audit?
The agency supplies relevant templates for an audit. For some agencies, compliance requirements from non-FISMA standards and regulations may be included when relevant to the framework. This helps consolidate audit requirements, as well as tie them into the overall cybersecurity compliance program.
FISMA standards, as defined by the NIST, include the following, with emphasis on SP 800-53 and SP 800-137:
- FIPS 199: The Federal Information Processing Standard for security categorization in federal information systems
- FIPS 200: Minimum security requirement set for federal information and information systems
- SP 800-18: Developing security plans for federal information systems
- SP 800-30: Conducting risk assessments
- SP 800-37: Applying the risk management framework to federal information systems, a security lifecycle approach
- SP 800-39: Special publication on managing information security risk
- SP 800-47: Security guide for interconnecting information technology systems
- SP 800-53: Covers security and privacy controls for federal information systems and organizations Addendum SP 800-53A, covers assessment of these controls
- SP 800-59: Guideline for identifying an information system as a national security system
- SP 800-60: Since August 2008, a guide for mapping types of information systems to security categories
- SP 800-128: Security-focused configuration management of information systems
- SP 800-137: Information security continuous monitoring for federal information systems and organizations
- SP 800-160: A systems security engineering guideline, integrated approach to building trustworthy and resilient systems
One of the key standards in assessing controls to federal government information and information systems is Federal Identity, Credential and Access Management (FICAM) Roadmap Implementation Guidance. An organization’s identity, credential and access management (ICAM) tools, policies and systems allow management, monitoring and secure access to protected resources. FICAM is managed by the Government Service Administration’s Office of Information and Integrity Access.
A compliance audit will evaluate an organization’s performance in the five cybersecurity framework functions — identify, protect, detect, respond and recover — which fall under eight FISMA “metric domains,” or program areas.
The status of the information systems under the following domain areas of an organization’s IT security program are measured in accordance with DHS’s FISMA IG reporting requirements, FY 2016 Inspector General Federal Information Security Modernization Act of 2014 Reporting Metrics V1.1.3. Next to each domain name is an abbreviated description of standard components required.
- Risk management: Comprehensive inventory management process for hardware, assets, software and system interconnections. Interconnections include virtual private networks and firewall connections. Risk executive function established that will help ensure risk assessments are completed, and risk is communicated throughout the organization. Determined acceptable levels of risk, based indefined tier levels. Tier determination includes tier assignment, tier definition and in-depth understanding of tier assignments.
- Contractor systems: Outsourced information systems services, including cloud computing and storage, address information confidentiality, information integrity and availability.
- Configuration management: Developed and maintained baseline configurations and approved standard configuration settings for information systems. Established routine audit processes to ensure systems maintain compliance with established configurations.
- Identity, credential and access management: Establishing an organizational ICAM strategy, and ensuring an auditing process is implemented for all individuals with access.
- Security and privacy training: Implemented IT security training program. Performing workforce assessments to identify gaps in IT security training needs.
- Information security continuous monitoring: Established policies, processes and procedures, and conducting a security controls assessment on all information systems.
- Incident response: All FISMA metrics are in place at the level of “consistently implemented” or higher.
- Contingency planning: Implement, maintain and routinely test contingency plans.
As important as the cybersecurity plan and program components, a compliance audit will evaluate the status of the organization’s IT security governance structure and the organization’s system security assessment and authorization methodology.
Assessors require reports as part of a FISMA audit, and FISMA requires annual reports from government agencies. Organizations can simplify their lives by investing time and money into automating as many reports as possible.
How Often Should a Company Perform a Cybersecurity Audit?
FISMA requires federal agencies to have audits annually and submit reports by March 1, as well as semiannually. If you do business with a federal agency, you’re required to comply with FISMA. Timing your audit process to align with the agency with which you do business could make sense. The information they may need from you as part of their audit or report would then be available at the time they need to submit their agency report.
FISMA, the NIST Cybersecurity Framework and the DHS metrics that support FISMA represent best practices in cybersecurity. A program based on these components with the right reporting will go a long way to provide the documentation you need for an audit. More than that, you’ll incorporate controls, policies and processes into all aspects of your business. That’s lower risk and higher long-term satisfaction for customers — especially government customers — and employees.
FISMA has emerged as the overall standard for federal government agencies and touches every sector. Each federal agency has some of its own compliance policies, as well, depending on their mission and service, the types of information they manage, internal- and external-facing customers.
Different sectors may have different timing of audits. Most will be overall risk management, security and financial audits. Seek out the controls stressed by the agency that will be assessing compliance of your cybersecurity program. If you’re in the process of getting a contract, look to the agency and its website to find information security policies and requirements. The chief information officer may be a good source if you can’t find information on the website.
Should the Audit Be Completed Internally, or by an External Evaluator?
How an organization conducts a compliance audit will depend on the organization, its resources and, in some instances, their size. Larger organizations may have the internal resources and IT expertise to perform internal audits.
All organizations should perform some ongoing level of internal monitoring. FISMA requires organizations to evaluate their controls at least annually. Best practices would be to apply controls and have continuous opportunities to evaluate them.
It’s a good practice, in line with FISMA and the NIST framework, to document evidence of your ongoing evaluation of security controls, your findings and the process implemented to remediate weaknesses or areas for improvement. One person with an appropriate skill level is typically assigned ownership of remediation. An audit tracking system can support the process and your readiness for compliance audits.
Organizations whose budgets cannot afford the internal personnel should look for outside help. This person may be a consultant to get recommendations for information systems cybersecurity management or compliance service.
Larger and more complex organizations may need an external evaluator to help them prepare for overall compliance across multiple business units or offices. External evaluators can often assist with a preparatory, or mock, compliance audit prior to an audit by the agency with which they do business.
Because the federal agencies have already gone through the cybersecurity compliance audit process, the agency CIO or their office would have some ideas about what would be required. It’s a good idea to ask questions to help you make the right decision for your organization.
Once the Audit Is Complete, What Next Steps Should Ensure Compliance?
The NIST framework and all cybersecurity best practices emphasize the continuous nature of the standards compliance process. Because cyber-attacks are constantly changing, preparedness to identify and respond must also be constant and adaptive to the changes.
All reviews will include recommendations and identification of weaknesses. Your organization’s responses will include specific statements about what you are going to continue to do to meet full compliance. When the compliance audit is complete, continue your process for planning and improving controls.
Note that the agency to which your organization is connected will also receive recommendations and weaknesses to which they must respond. Your organization can learn a lot from their audit reports about their priorities and activities to improve compliance. In some instances, you may find aligning your continued improvements to their responses may push compliance forward on both ends.
If some of the recommendations from your compliance audit are beyond your grasp or your organization doesn’t have the internal resources, consider outside help. This is a sign of strength.
FISMA-Compliant Cybersecurity Program = Best Practice Framework
FISMA and the NIST Cybersecurity Framework are a best practice framework, with the input of professionals and stakeholders with experience. Coupled with agency- and industry-specific standards, an organization that follows the NIST standards and DHS metrics should be doing what is common sense.
Security and risk assessment are the key factors of focus.
Plans, policies, procedures and processes are standard in all parts of a business where information management is concerned. Cybersecurity is just another way in which a business maintains, stores and shares information.
Technology requires expertise, as data breaches and security threats have become widespread and can ruin an organization’s reputation or financial stability. To learn more about technology tools designed to meet FISMA compliance, download one or all of our whitepapers to gain more understanding about the changes to information security regulations in the U.S. and elsewhere. You’ll learn how to make the adjustments as new regulations require us to integrate stringent standards for information security.
- General Data Protection Regulation (GDPR): Obligation Without the Hype
- 10 Common Pitfalls to Avoid When Evaluating Security Information Management (SIM) Solutions
- Essential Practices for Achieving Security Compliance Management
BlackStratus offers a family of FISMA-compliant event management software designed to help you meet FISMA compliance requirements with ease, no matter the size of your network or organization. The CYBERShark software system incorporates security with an array of powerful capabilities for protecting critical data and maintaining compliant operations:
- Real-time incident identification gives your users instant visibility into threats, identifying them as they happen so breaches can be prevented in real time.
- Automated correlation technology analyzes all logged events for threatening patterns, prioritizing critical threats and filtering out false positives so your team can focus on true dangers.
- A FISMA-compliant data center is core to FISMA-regulated organizations. As a cloud-based system, CYBERShark achieves high speeds and scalability with ease. It’s compliant with the highest cloud security standards so data remains safe and secure.
- Centralized event logging management and storage automatically creates logs of incidents in your system, allowing you to investigate events with all applicable data. These logs also include in-depth incident summaries with drill-downs that arm you with security tools you can demonstrate during a compliance audit.
- Security and compliance reports of the CYBERShark system speak to the reason FISMA regulations exist. To effectively support FISMA security controls requirements, CYBERShark includes a set of FISMA-compliant reporting packs to help your organization track incidents. Your organization can identify risks and mitigate FISMA compliance violations due to unacceptable risks.
While most systems that offer these security compliance controls are difficult to install and rather expensive, CYBERShark from BlackStratus provides an easy and affordable solution. Cost-effective yet advanced, CYBERShark gives your government contracting business handy tools to maintain FISMA compliance. Best of all, it’s easy to set up and integrate into your existing systems, and you can get started with this system today.