A Guide to FISMA Compliance Requirements
Every organization that maintains a computer network is vulnerable to outside attacks, regardless of their size or industry. From small home-based businesses to multinational corporations, hackers and viruses are constantly looking for vulnerabilities so they can steal valuable personal and financial information.
The risk is greater the more information your business handles. So what about government agencies like the FBI, IRS, DoD and their contractors?
Government-affiliated organizations are at even greater risk of attack, as they are prime targets for both domestic and foreign agents. Considering that government affiliates handle both classified government information and reams of personal and financial information on citizens, protecting data is a high priority for these organizations. With the number of security threats on the rise, the U.S. government has taken action with several security regulations with which its agencies and affiliates must comply. One of these is FISMA.
FISMA, or the Federal Information Security Management Act, is a piece of United States legislation that defines a framework designed to protect government information, operations and assets from threats. The legislation does this by assigning responsibilities to various agencies and groups to ensure data security from both human-made and natural disasters.
It also requires contractors to take certain steps toward tighter data security. Failure to follow these regulations can result both in breaches and censure from the United States government, along with reduced federal funding.
FISMA compliance requirements are both numerous and complex — even for established government contracting organizations. To help understand this regulation in greater detail, we’ve created a guide to FISMA compliance, complete with an FISMA compliance checklist and details on how BlackStratus’ FISMA-compliant log management system can help.
FISMA at a Glance: What Is FISMA?
The Federal Information Security Management Act, commonly referred to as FISMA, is a United States federal law. The law was passed in December 2002 as Title III of the larger E-Government Act, or Public Law 107-347. FISMA makes it a requirement for all federal agencies and their contractors to bolster their information security programs through various means. This was part of a larger effort on the part of the United States government to improve their management of electronic services and processes.
FISMA essentially replaced the Government Information Security Reform Act, or GISRA by updating and expanding the regulations of GISRA to apply to changing government agency needs.
Most notable was the addition of requirements for non-national security government agencies and the explicit requirements of federal agencies to “develop, document and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor or other source.”
FISMA regulations apply to all agencies of the United States federal government. Since its enactment in 2002, however, the agencies and organizations to which FISMA applies have been expanded to include the following groups:
- Federal Agencies: Federal agencies were the original target of the FISMA bill, as the original act was meant to bolster the government’s efforts toward electronic security. As such, all federal agencies are required to meet FISMA compliance by default.
- State Agencies: Since the bill passed in 2002, FISMA has expanded to include state agencies involved in federal programs. Since these agencies handle sensitive federal data, they are as responsible for its security and upkeep as federal agencies. Agencies included in this expansion include those that manage federal programs like unemployment insurance, student loans, Medicare and Medicaid, among others.
- Private Sector Contractors: FISMA further expands its reach into the private sector, since many agencies contract jobs to private companies. Because these contractors handle highly sensitive federal data, it follows that such organizations should comply with FISMA regulations like any federal agency. Today, any private sector companies with contractual relationships with federal agencies must follow FISMA regulations as closely as state and federal agencies. These include government contractors that provide services or support for or receive grant money from these agencies.
The latter of these FISMA expansions has caught many companies by surprise in the past, since the law was originally designed solely for government agencies. While the law helps strengthen information security for the government and its affiliates, compliance with the law can be an involved activity due to its sheer scope and the extensive requirements involved.
The Evolution of FISMA
As stated previously, FISMA rose as a replacement to the previous law, GISRA. With hacking attempts on the rise, FISMA was the United States’ method of bolstering cybersecurity. Originally passed in December 2002 as Title III of the E-Government Act, FISMA increased data security requirements for federal agencies and eventually expanded to cover any entity handling federal data. After the act passed in December 2002, implementing FISMA became a national priority. The process was divided into two phases.
The first phase, which took place between 2003 and 2012, involved the FISMA Implementation Project. It launched in January 2003. This first step focused on establishing critical guidelines and security standards for use across agencies and organizations so that all could understand and implement the regulations practically. The National Institute of Standards and Technology, or NIST, played a significant role in this process by producing key publications to expand on the rules. These papers are discussed in greater detail in the next section.
The second phase of the FISMA Implementation Project, which took place primarily between 2007 and 2012, focused on establishing a shared understanding of FISMA and the supporting documentation from NIST. To accomplish this, more reference materials were published to help create common approaches to the regulations. This included reference materials for training, support, ISO harmonization and assessment requirements.
Once the dust settled, FISMA was a resounding success. It established itself as one of the most significant federal data security regulations of the modern era. With its focus on reducing security risks while maintaining cost efficiency, FISMA helped government agencies and, eventually, contractors, to make the most of their security measures by establishing uniform guidelines and security standards. The result has been heightened security across the United States government and its affiliates.
FISMA has and will continue to be updated as technology solutions change. The most recent of these updates came in December 2014 with the publication of Public Law 113-283.
What Are the NIST Publications?
After the passing of FISMA, the NIST took a primary role in the implementation of the law. Essentially, the organization created and promoted standards to be used by federal agencies and government contractors to implement FISMA properly. These standards were published along with supplementary best practice materials and include:
- FIPS 199: The Federal Information Processing Standard (FIPS 199) is a standard for security categorization in federal information systems. It was put in place in February 2004.
- FIPS 200: This document set minimum security requirements for federal information and information systems as of March 2006.
- SP 800-18: Standing for Special Publication, SP 800-18 was the first of many special publications. It presented a guide for developing security plans for federal information systems. The first version came out in February 2006.
- SP 800-30: This special publication is a guide for conducting risk assessments, first published in September of 2012.
- SP 800-37: A guide for applying the risk management framework to federal information systems, this publication provided a security life cycle approach and was last updated in June 2014.
- SP 800-39: This special publication on managing information security risk was published in March 2011.
- SP 800-53: This publication covers security and privacy controls for federal information systems and organizations and was published in April 2013. An addendum to the publication, SP 800-53A, covers assessment of these controls and was published in December of 2014. This is the most important of these special publications and is discussed in greater detail later on in this guide.
- SP 800-59: This special publication provides a guideline for identifying an information system as a national security system and was published in August 2003.
- SP 800-60: Consisting of two volumes, Volume I of SP 800-60 was published in August 2008 and acts as a guide for mapping types of information systems to security categories. Volume II, published the same time, serves as the Appendices to Volume I.
- SP 800-137: This publication is a guide to information security continuous monitoring (ISCM) for federal information systems and organizations, published September 2011.
- SP 800-160: This more recent publication, published in September 2016, is a systems security engineering guideline. It provides an integrated approach to building trustworthy and resilient systems.
These documents were designed to assist with the implementation of FISMA in the first phase and help agencies understand and act on the regulations. Today, a majority of government agencies follow frameworks defined in SP 800-53 and 37, though standards are continuously changing.
FISMA Compliance Requirements
This information answers what FISMA is, but most contractors are really only concerned with what FISMA means for their business. The bottom line is compliance. Any organization, whether public or private, must handle federal data in a manner that is compliant with FISMA regulations. But what does this mean?
FISMA compliance is determined when an agency or government contractor demonstrates compliance to an independent assessor. During this process, the organization must demonstrate that they have implemented all the controls as identified in NIST SP 800-53 and developed policies and procedures to support the continued operation of the system as established.
The primary requirements of FISMA and NIST SP 800-53 can be summarized as follows:
- Maintain an Inventory of Information Systems: Every federally affiliated organization, from agencies to contractors, must keep a list of the information systems they use. This includes any information systems that come in contact with federal data. Additionally, any integrations between these information systems must be identified and described in detail.
- Categorize Information and Information Systems: Once detailed, each information system used by a federal agency or contractor working with the government must be categorized according to risk level. Any information handled by the organization must also be categorized in this manner.
- Maintain a System Security Plan: One of the primary FISMA requirements is that agencies must create and maintain a security plan for their information system. This plan should include security controls and policies currently implemented as well as a general timetable for future control implementation and assessments.
- Utilize Security Controls: FISMA requires agencies and contractors to implement a series of security controls covering all areas of the organization. This includes awareness and training, contingency planning, maintenance, incident response and risk assessment, among other areas.
- Conduct Risk Assessments: One of the most critical security controls required by FISMA is the risk assessment. This involves approaching the system using a risk-based mindset and managing any organizational risks to mitigate the dangers. Risk acceptability can change depending on the nature of the system — whether the system is involved in the production, processing or storage of active government data. Risk assessments should be conducted on a regular basis, especially following significant changes to an organization’s existing information system.
- Certification and Accreditation: Agencies and organizations must periodically achieve FISMA Certification and Accreditation. This is accomplished through a four-phase process: initiation and planning, certification, accreditation and continuous monitoring.
- Conduct Continuous Monitoring: FISMA compliance requires continuous monitoring and proof of compliance, which program heads can provide by conducting annual security reviews. For federal agencies, this includes annual reports to Congress, which must be submitted by March 1. These reports must contain information on the adequacy and efficacy of existing policies and practices. In April 2010, the Office of Management and Budget expanded this requirement by requiring agencies to provide real-time system information to FISMA auditors. This further enables the continuous monitoring of federally-affiliated information systems.
How closely an organization follows these requirements is assessed by an authorizing official, or AO, who is a senior official or executive granted the authority to assess a FISMA-regulated system. This AO will evaluate the controls and outcomes of the business and determine if any identified risks are acceptable for the continued operation of the system. In this case, there must not be an undue risk to organizational operations, assets, individuals, other organizations or the nation as a whole.
If the risks posed by an organization’s system are small enough to meet an AO’s standards, then they will grant the group in question an ATO, or an Authority to Operate. This ATO signifies FISMA compliance.
Some entities may be granted multiple ATOs. This is most common for commercial entities that carry contracts with multiple government agencies. These organizations must hold an ATO for each government agency they work with — mostly because each agency has slightly different requirements for meeting their own FISMA standards.
Benefits of Complying with FISMA
FISMA compliance offers numerous benefits to government agencies and contractors, mostly in the following areas:
- Increased Security: FISMA’s primary goal was to increase the overall security of sensitive federal information. In this aim, FISMA has largely succeeded. With requirements for federal agencies and contractors to adopt baseline security measures, FISMA has established a high minimum level of security, which is maintained through continuous monitoring and risk assessment.
- Uniformity and Control: One of the other significant benefits of FISMA’s implementation was an increase in consistency among government security measures. Instead of treating security on an agency-by-agency basis, FISMA establishes baseline security measures and practices for all federal agencies and contractors to protect federal information from the ground up and fortify potential weak points in the data chain.
- Agency Confidence: Federally affiliated companies operating in the private sector also benefit from FISMA compliance. Despite being subject to increased scrutiny from the government, these organizations benefit by gaining the confidence of federal agencies. By complying with the same security measures employed by federal agencies, private sector contractors prove that they can be trusted with sensitive federal data, potentially earning them contracts with federal agencies. It doesn’t hurt that these measures also improve the security of their own business data, and not just federal information.
These benefits have encouraged many organizations to adopt FISMA standards, including many private sector companies hoping to gain contracts with federal agencies. The result has been improved security and uniformity across the board, which helps keep the nation safe by protecting its collective data.
Penalties for Non-Compliance
An essential part of maintaining FISMA compliance involves auditing and, when applicable, levying penalties.
FISMA compliance is audited every year, with reports due by March 1. These audits look at every aspect of an organization’s security measures, from technology inventory to security controls and processes. If the organization fails to complete an audit or, during the audit, demonstrates that their processes allow more than an acceptable level of risk, they fail the audit.
If an organization receives a low score or fails a FISMA audit, this is a sign that the organization’s approach to security isn’t enough to protect their information from cyberattacks and therefore poses a risk to federal information. Failure indicates that security isn’t high enough to protect sensitive data from the majority of modern cyberattacks, while a low score indicates that the organization is at greater risk than average.
Low and failing FISMA grades may be met with several penalties, including censure by Congress and negative publicity. In particularly severe cases, federal funding for the agency or organization may be cut. For private sector government contractors, this can mean the end of their relationship with the federal government.
In any case, these penalties can cripple organizational operations for years, if not permanently, which is why maintaining FISMA compliance is an absolute necessity.
FISMA Compliance Security Solutions from BlackStratus
Obtaining and maintaining compliance with FISMA regulations doesn’t need to be a hassle. With the best practices and the right technological tools on your side, your business can meet FISMA requirements and maintain good relationships with federal agencies. BlackStratus can help.
BlackStratus’ family of FISMA-compliant event management software is designed to help you meet FISMA compliance requirements with ease, no matter the size of your network or organization. The CYBERShark family of software systems is designed with security in mind and offers an array of powerful capabilities for protecting critical data and maintaining compliant operations:
- Real-Time Incident Identification gives your users instant visibility of threats, identifying them as they happen so your users can combat them in real-time to prevent breaches.
- Automated Correlation Technology analyzes all logged events for threatening patterns, prioritizing critical threats and filtering out false positives so your team can focus on true dangers.
- A FISMA-Compliant Data Center is a major factor for FISMA-regulated organizations. CYBERShark is a cloud-based system, meaning it can achieve high speeds and scalability with ease. Even better, it’s compliant with the highest cloud security standards so your data remains safe and secure.
- Centralized Event Logging Management and Storage automatically creates logs of incidents in your system, allowing you to investigate events with all applicable data. These logs also include in-depth incident summaries with drill-downs that include all involved individuals and systems.
- Security and Compliance Reports are probably the most important features of the CYBERShark system for FISMA-regulated organizations. CYBERShark includes a set of FISMA-compliant reporting packs* to help your organization properly track incidents according to FISMA requirements. This allows your organization to properly mitigate FISMA compliance violations.
While most other systems that offer these functions are difficult to install and rather expensive, CYBERShark from BlackStratus provides an easy and affordable solution. Cost-effective yet advanced, CYBERShark provides the solution your government contracting business needs to maintain FISMA compliance while keeping costs low. Best of all, it’s easy to set up and integrate into your existing systems, meaning you can get started with this system today.
Interested in learning more about BlackStratus’ FISMA compliance management solutions? Request a demonstration of our CYBERShark software today.
*FISMA-specific reporting for CYBERShark is available via scheduled e-mail delivery upon request.