What is FISMA Compliance?
The Federal Information Security Management Act (FISMA), signed into law in 2002, requires security guidelines be implemented to help protect and reduce the security risk of sensitive federal data. It requires all federal agencies to protect and support their operations by developing, documenting, and implementing a comprehensive information security plan. All agencies within the U.S. federal government, as well as some state agencies, and any private sector organization in a contractual relationship with the government are bound by these FISMA compliance regulations.
By Congressional amendment in 2014, the Federal Information Security Modernization Act, Public Law 113-283, brought FISMA closer in line with current information security concerns. Federal agencies are now encouraged to use more continuous monitoring and to focus more heavily on compliance.
Evaluation of FISMA compliance is reported by agencies annually to the Office of Management and Budget (OMB), and each FISMA Report Card is available to the public.
Who Needs to Be FISMA Compliant?
When first created, FISMA only applied to federal agencies. The law has since evolved and now covers state agencies that administer federal programs such as unemployment insurance, student loans, Medicare, Medicaid, etc.
In addition, any contractors or private sector companies that do business with federal agencies, support federal programs, or even receive grant money, must also comply with the same information security guidelines as the federal agency they are working alongside. This includes companies such as software providers and cloud services companies.
Staying on top of FISMA requirements can help contractors and other vendors avoid having a contract cancelled, being put on the federal contractor blacklist, or even having to appear before a Congressional hearing if the security lapse is severe enough.
FISMA Compliance Checklist
Based on guidance from NIST, as outlined in CSOOnline, the following information security controls need to be addressed before an organization can claim to be FISMA-compliant:
Inventory of information systems
Categorization of risk
System security plan
Security controls
Risk assessments
Certification and accreditation
Continuous monitoring
NIST Standards & Compliance
What are NIST Standards?
The National Institute of Standards and Technology (NIST) is a non-regulatory agency that has issued specific guidance for government bodies as well as their contractors, for complying with FISMA.
Achieving FISMA compliance requires organizations seeking government contracts to look intensely at their networks and cybersecurity procedures to ensure they meet the appropriate security requirements contained in NIST’s special publications, most notably, NIST SP 800-171 and NIST SP 800-53.
Specifically, NIST:
Minimum Requirements
Sets the minimum requirements for information security plans and procedures.
Security Systems
Recommends the types of security systems, software, etc., that agencies need to implement and approves the vendors for them.
Risk Assessment
Standardizes the risk assessment process and, depending on agency risk assessments, sets varying standards of information security.
Learn more: NIST Risk Management Framework
NIST SP 800-171
Government bodies, as well as contractors and subcontractors working with them must maintain compliance with NIST standards and guidelines throughout the entire time of their contract. In 2017, NIST published SP 800-171, which spells out the standards and guidelines for regulating the management of government data while it resides in, is processed by, or crosses through nonfederal information systems.
This government data is also known as Controlled Unclassified Information (CUI). While CUI is sensitive, it does not qualify as classified information. It is, however, commonly used by service providers who perform business functions for government agencies. SP 800-171 helps define how CUI is protected.
Procedures related to how data is handled, safeguarded, and controlled while it is exchanged through nonfederal systems are detailed to ensure CUI data is secured appropriately and only available to specific users who need to work with it on a specific project.
A few key areas organizations need to address to meet SP 800-171 requirements include:
- Who is authorized to view and access the data?
- Are people aware of and trained in how this information should be handled?
- How is data access accounted for and audited?
- How secure are the networks?
- Who can access the agency’s equipment, systems, and data storage?
- What is the response time for any breaches or threats to CUI?
NIST 800-53
One of the most robust NIST publications set forth in accordance with FISMA is NIST SP 800-53, or the “Recommended Security Controls for Federal Information Systems and Organizations.” This special publication details the specific controls designed to support secure federal information systems and lays out best practices and global standards for maintaining confidentiality, integrity, and availability.
The framework is split into five different functions: identify, protect, detect, respond and recover. Within these functions are 20 security controls. Agencies select from these controls those that apply most to their unique requirements for low-, moderate-, or high-impact risks.
The controls address access, auditing and accountability, awareness and training, configuration management and planning, identification and authentication, incident response, maintenance, media protection, physical, risk assessment, system and information integrity, and more.
As technology has evolved, NIST SP 800-53 has been revised to cover areas like cloud computing, mobile technology, insider threats, supply chain security standards, application security, and more.
Some best practices for complying with 800-53 include:
- Identifying your sensitive data
- Classifying sensitive data
- Evaluating your cybersecurity via a risk assessment
- Documenting your policies and procedures
- Training users on cybersecurity best practices
FISMA Compliance Tools from Fortra
Managed File Transfer and FISMA Compliant File Transfer
Ensuring that file transfers performed under the guidelines of FISMA are secure is an essential step towards FISMA and NIST compliance. Several of the NIST SP 800-53 controls can be addressed through a managed file transfer (MFT) solution, such as GoAnywhere MFT, which includes:
Data Protection
Access Control
Auditing Logs
Data Classification and FISMA Compliance
NIST 800-53 and NIST 800-171 specifically calls out classifying sensitive data as one of the controls needed for FISMA compliance. With data classification in place, agencies and contractors can identify and prioritize the specific data they need to protect, even critical unstructured data.
Fortra's data classification solutions, Titus and Boldon James deliver the essential control and management needed to ensure compliance by:
Labels and Metadata
Security Technologies
Classification Policy
Compliance Culture
Automating Classification
Managed Security Services and FISMA Compliance
Access Control
Audit and Accountability
Identification and Authentication
Configuration Management
Incident Response
System and Information Integrity
Risk Assessment
Start Your Journey toward FISMA Compliance
Fortra provides government agencies, as well as private sector organizations with the robust solutions needed to achieve and maintain FISMA compliance. One of our experts can help you explore the solutions that are right for you.