What is FISMA Compliance?
The Federal Information Security Management Act (FISMA), signed into law in 2002, requires security guidelines be implemented to help protect and reduce the security risk of sensitive federal data. It requires all federal agencies to protect and support their operations by developing, documenting, and implementing a comprehensive information security plan. All agencies within the U.S. federal government, as well as some state agencies, and any private sector organization in a contractual relationship with the government are bound by these FISMA compliance regulations.
By Congressional amendment in 2014, the Federal Information Security Modernization Act, Public Law 113-283, brought FISMA closer in line with current information security concerns. Federal agencies are now encouraged to use more continuous monitoring and to focus more heavily on compliance.
Evaluation of FISMA compliance is reported by agencies annually to the Office of Management and Budget (OMB), and each FISMA Report Card is available to the public.
Who Needs to Be FISMA Compliant?
When first created, FISMA only applied to federal agencies. The law has since evolved and now covers state agencies that administer federal programs such as unemployment insurance, student loans, Medicare, Medicaid, etc.
In addition, any contractors or private sector companies that do business with federal agencies, support federal programs, or even receive grant money, must also comply with the same information security guidelines as the federal agency they are working alongside. This includes companies such as software providers and cloud services companies.
Staying on top of FISMA requirements can help contractors and other vendors avoid having a contract cancelled, being put on the federal contractor blacklist, or even having to appear before a Congressional hearing if the security lapse is severe enough.
FISMA Compliance Checklist
Based on guidance from NIST, as outlined in CSOOnline, the following information security controls need to be addressed before an organization can claim to be FISMA-compliant:
Inventory of information systems
Inventory of information systems in use, as well as their system integrations.
Categorization of risk
Categorization of risk, as defined by FIPS 199. The “Standards for Security Categorization of Federal Information and Information Systems” details how agencies categorize their risks and resulting security requirements.
System security plan
System security plan and the processes involved to ensure the plan is updated regularly. This plan is the major component of the security and security certification and accreditation process for the system.
Security controls, as defined by the minimum requirements defined in FIPS 200 “Minimum Security Requirements for Federal Information and Information Systems.” Agencies and their contractors must meet the minimum security requirements by selecting the appropriate security controls as described in NIST 800-53. The controls selected must also be documented in the System Security Plan.
Risk assessments should be conducted to ensure if additional controls are needed to protect agency operations, assets, individuals, etc. This assessment establishes a level of “security due diligence” required for FISMA compliance.
Certification and accreditation
Certification and accreditation with yearly security reviews to demonstrate that documentation, risk assessment, implementation, maintenance, and monitoring of systems for FISMA compliance is working as intended. Once reviewed, the information system is deemed accredited.
Continuous monitoring of the selected set of security controls and system documentation.
NIST Standards & Compliance
What are NIST Standards?
The National Institute of Standards and Technology (NIST) is a non-regulatory agency that has issued specific guidance for government bodies as well as their contractors, for complying with FISMA.
Achieving FISMA compliance requires organizations seeking government contracts to look intensely at their networks and cybersecurity procedures to ensure they meet the appropriate security requirements contained in NIST’s special publications, most notably, NIST SP 800-171 and NIST SP 800-53.
Sets the minimum requirements for information security plans and procedures.
Recommends the types of security systems, software, etc., that agencies need to implement and approves the vendors for them.
Standardizes the risk assessment process and, depending on agency risk assessments, sets varying standards of information security.
NIST SP 800-171
Government bodies, as well as contractors and subcontractors working with them must maintain compliance with NIST standards and guidelines throughout the entire time of their contract. In 2017, NIST published SP 800-171, which spells out the standards and guidelines for regulating the management of government data while it resides in, is processed by, or crosses through nonfederal information systems.
This government data is also known as Controlled Unclassified Information (CUI). While CUI is sensitive, it does not qualify as classified information. It is, however, commonly used by service providers who perform business functions for government agencies. SP 800-171 helps define how CUI is protected.
Procedures related to how data is handled, safeguarded, and controlled while it is exchanged through nonfederal systems are detailed to ensure CUI data is secured appropriately and only available to specific users who need to work with it on a specific project.
A few key areas organizations need to address to meet SP 800-171 requirements include:
- Who is authorized to view and access the data?
- Are people aware of and trained in how this information should be handled?
- How is data access accounted for and audited?
- How secure are the networks?
- Who can access the agency’s equipment, systems, and data storage?
- What is the response time for any breaches or threats to CUI?
One of the most robust NIST publications set forth in accordance with FISMA is NIST SP 800-53, or the “Recommended Security Controls for Federal Information Systems and Organizations.” This special publication details the specific controls designed to support secure federal information systems and lays out best practices and global standards for maintaining confidentiality, integrity, and availability.
The framework is split into five different functions: identify, protect, detect, respond and recover. Within these functions are 20 security controls. Agencies select from these controls those that apply most to their unique requirements for low-, moderate-, or high-impact risks.
The controls address access, auditing and accountability, awareness and training, configuration management and planning, identification and authentication, incident response, maintenance, media protection, physical, risk assessment, system and information integrity, and more.
As technology has evolved, NIST SP 800-53 has been revised to cover areas like cloud computing, mobile technology, insider threats, supply chain security standards, application security, and more.
Some best practices for complying with 800-53 include:
- Identifying your sensitive data
- Classifying sensitive data
- Evaluating your cybersecurity via a risk assessment
- Documenting your policies and procedures
- Training users on cybersecurity best practices
FISMA Compliance Tools from Fortra
Managed File Transfer and FISMA Compliant File Transfer
Ensuring that file transfers performed under the guidelines of FISMA are secure is an essential step towards FISMA and NIST compliance. Several of the NIST SP 800-53 controls can be addressed through a managed file transfer (MFT) solution, such as GoAnywhere MFT, which includes:
Data protection and encryption during file transfer processes, ensuring security of data at rest and in transit
Access control to limit data access to only those necessary
Auditing logs and reporting to efficiently provide data needed for annual FISMA audits
Data Classification and FISMA Compliance
NIST 800-53 and NIST 800-171 specifically calls out classifying sensitive data as one of the controls needed for FISMA compliance. With data classification in place, agencies and contractors can identify and prioritize the specific data they need to protect, even critical unstructured data.
Labels and Metadata
Applying both visual labels and metadata.
Integrating with other security technologies such as data loss prevention, digital rights management, and encryption.
Helping to build a classification policy tailored to a specific agency or contractor’s requirements.
Encouraging a compliance culture, as users are directly involved with identifying, managing, and controlling the sensitive data they encounter.
Automating parts of the classification process to help enforce consistent rules and policies.
Start Your Journey toward FISMA Compliance
Fortra provides government agencies, as well as private sector organizations with the robust solutions needed to achieve and maintain FISMA compliance. One of our experts can help you explore the solutions that are right for you.