What is FISMA
FISMA stands for Federal Information Security Management Act. The Federal Information Security Management act of 2002 is a law passed that requires federal agencies to develop and implement an information security program. The FISMA was introduced as part of the E-Government Act, which aims to improve management of electronic government services.
FISMA is a federal regulation that helps to protect the government from security risks. It was introduced in order to reduce costs and improve cybersecurity.
In 2010, the Office of Management and Budget released guidelines that would allow FISMA auditors to monitor systems in real time.
FISMA Compliance Process
The National Institute of Standards and Technology has been playing a major role in the FISMA Implementation Project, which is responsible for creating many security standards. The NIST 800 series provides us with guidelines on how to implement these.
FISMA has a few key requirements that are important for all agencies to follow.
- Every company that is contracted by the government has to keep an inventory of all their information systems. They have to identify what they are connected with within their network.
- The risk levels range from low, to moderate and high.
- The agency is required to create a security plan which is kept up-to-date and regularly maintained. The plan should have things like the system’s controls, policies on what they do with data, and a timetable for when new protections will be put in place.
- There are many security controls that companies can implement to satisfy FISMA compliance. NIST SP 800-53 is a catalog of suggested security control, and not all must be implemented.
- Risk assessments help identify the risks of a company or organization. Organizations need to conduct three-tiered risk assessment, identifying organizational level threats and vulnerabilities, business process level threats and vulnerabilities, as well as information system specific threats.
- The FISMA certification and accreditation process is a four-phased system. It includes initiation and planning, which include risk assessment; the second phase is to get fisma certified by meeting certain requirements such as having an acceptable security plan, policies in place for data protection, etc.; after that comes accreditation where you have to meet additional criteria like providing documentation proving your compliance with federal regulations.
Pro's of FISMA Compliance
FISMA compliance has increased the security of sensitive federal information. The continuous monitoring is a good thing for agencies because it helps them eliminate vulnerabilities and maintain a high level of security in an efficient manner.
Private companies can also benefit from FISMA compliance. By following the requirements of FISMA, they’ll have a better chance at adding new business from federal agencies and will be able to follow many best practices outlined in it.
Consequencs of FISMA Non-Compliance
If government agencies or private companies don’t comply with FISMA, there are various penalties. These include being publicly reprimanded by congress, having funding reduced, and damaging their reputation.
FISMA Mandates
To meet FISMA compliance, there are some fisma mandates you must follow. This list is not exhaustive, but it will get you on your way to meeting all the requirements.
- When data is created, it should be classified immediately. This way you can prioritize security controls and policies to apply the highest level of protection for your most sensitive information.
- You should give your team a tool that can encrypt sensitive data based on its classification level or when it is put at risk. This should be basic for any company with sensitive information.
- One of the most important things you can do to maintain FISMA compliance is documenting your work.