All You Need to Know about FISMA Compliance

The Federal Information Security Management Act (FISMA) is a United States federal law passed in December 2002 as part of the E-Government Act. FISMA requires each federal agency to develop, document, and implement an agency-wide program to secure information and systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other sources.

FISMA was amended through the Federal Information Security Modernization Act of 2014 (FISMA 2014) in response to the mounting number of cyberattacks suffered by federal agencies. FISMA 2014 modernized federal security practices to address these new threats. Its changes reduced overall reporting, strengthened the use of continuous monitoring and increased the focus on agency compliance and security incident reporting. Along with other legislation, FISMA explicitly emphasizes a risk-based policy for cost-effective security.

Who does FISMA apply to?

FISMA originally applied only to US federal agencies, but its applicability was later expanded to include all organizations that possess, manage, or have access to federal information on behalf of an agency. As a consequence, state and local governments that administer federal programs such as Medicare, Medicaid and federally backed student loans, but also any private sector company that has a contractual relationship with the federal government must now comply with FISMA.

What are the main FISMA requirements?

FISMA compliance requirements are extensive, but the most important can be summarized in these seven points:

Maintain an inventory of IT systems. Every agency or contractor must keep an inventory of information systems that they control or operate, as well as an inventory of the connections between those systems and between internal systems and systems outside their control.

Risk level categorization. All federal data and IT systems must be categorized according to their level of risk: low, moderate, or high. A low-risk system does not store sensitive information that needs to be protected. A moderate-risk system can contain sensitive information and requires a greater degree of security. A high-risk system means the data stored on it is highly sensitive and its loss or compromise would represent a great risk to the federal government.

Develop a system security plan. All agencies and contractors must produce and maintain a System Security Plan (SSP) that defines how their security controls will be implemented. The SSP must be periodically reviewed and include plans of action and milestones.

Apply security controls. Federal information systems must meet the minimum requirements listed in the National Institute of Standards and Technology (NIST)’s FIPS 200 publication, Minimum Security Requirements for Federal Information and Information Systems. Once basic security controls are in place, organizations can choose more advanced controls as described in NIST 800-53, Recommended Security Controls for Federal Information Systems. Security controls can be based on mission requirements and operational environments and must be listed in the SSP.

Risk assessments. Every agency or contractor must confirm the successful implementation of its security controls through risk assessments. They can also be used to determine whether additional controls might be needed to add an extra layer of protection to the information or system.

Certification and accreditation. Once the risk assessment and the SSP are complete, an annual security review must be conducted to ensure security controls in place continue to be sufficient and any risks are mitigated. FISMA certification and accreditation, detailed in NIST 800-37, has four steps: initiation and planning, certification, accreditation, and continuous monitoring.

Continuous monitoring. As the threat landscape continues to evolve, agencies and contractors must continuously monitor systems to ensure that security controls continue to be sufficient for federal information and system protection.

The role of NIST in FISMA compliance

Through the FISMA Implementation Project of 2003, NIST was tasked to produce several key security standards and guidelines required for FISMA compliance. These include NIST 800-53, FIPS 199, FIPS 200 and more. NIST also developed the NIST Risk Management Framework (RMF), a risk-based approach to selecting, implementing and assessing security controls for federal systems and for determining risk to organizational operations and assets, individuals and other organizations.

The NIST RMF and FISMA-associated NIST publications aim to ensure that any organizations working with federal information can conduct their day-to-day operations with adequate security that minimizes the risk of unauthorized access, use, disclosure, disruption, modification and destruction of federal information.

Authorization under FISMA

Federal systems must be authorized before being allowed to operate. Authorization is conducted by a senior management official that determines if the security and privacy risk to organizational operations and assets, individuals or other organizations are acceptable based on the operation of a system or the use of common controls.

If a system is approved, it receives an Authority to Operate (ATO) decision and the authorizing officials become responsible for the systems to which they grant ATOs. Should a security failure occur, the official who approved the system will be held accountable.

Penalties

Unlike other data protection laws such as GDPR, CPRA and HIPAA, noncompliance with FISMA does not come with monetary fines. It can however lead to contractors losing all federal funding and being barred from participating in any future federal contract bids. If a severe security incident takes place, contractors may also be required to appear before Congress to determine the scope of the damage and assess the company’s FISMA compliance before the incident.

DLP’s role in FISMA compliance

As a data-centric technology, Data Loss Prevention (DLP) allows organizations seeking FISMA compliance to protect sensitive federal information such as Controlled Unclassified Information (CUI) and Covered Defense Information (CDI) from loss and theft. DLP solutions monitor and control the transfer of data classified as sensitive.

By using DLP, companies can mitigate some of the risks associated with data transfers such as the use of insecure methods of transfer such as messaging apps and file-sharing services and the everyday mistakes committed by employees when sending and sharing sensitive data. Protecting federal information and making sure it doesn’t get into the wrong hands is a big part of FISMA compliance and DLP is an essential tool in the successful implementation of its security controls.