Thanks to the Federal Information Security Management Act (FISMA), federal agencies and contractors who do business with the government must develop, document, and implement a cyber security program to protect classified data and mission-critical government systems from potential cyberattacks. If you work in federal security or deal with government computer systems, you know there are policies to protect the point-of-sale systems, web servers, mail servers, and servers with top-secret data.
Any company that uses a computer network is open to cyberattacks. Criminal hackers are constantly pinging addresses in search of gaps they can squeeze through. Even worse is when the hack targets your personal information. Apply it to the federal government and you get a recipe for disaster. Due to sensitivity, government data requires the highest level of protection. And this is why compliance with FISMA is necessary.
Steps to FISMA Compliance
Government agencies and contractors are audited after which they are granted a FISMA compliance report. A part of the E-Government Act of 2002, which modernized government IT management, FISMA regulated how government agencies managed IT systems and data. It serves to evaluate companies’ and government agencies’ security.
Becoming FISMA-compliant is a meticulous process. To comply with the law, an agency or contractor must conduct an inventory of the current systems, create a custom security policy to protect assets, and monitor long-term risks. The law requires you to choose security controls that match the risks your organization faces and to revise them periodically to check for vulnerabilities.
1. Inventory IT
Agencies and contractors must maintain an inventory of all their IT systems. This inventory must include a description, manufacturer, model number, date of purchase or lease, date when the hardware was last updated, maintenance or repair records, service records, and disposition.
2. Information Systems Categorization
Agencies must categorize information systems by risk. Risk categorization identifies systems with the most sensitive data so the agency can protect it. FIPS 199 (Federal Information Processing Standards) determines IT systems’ risk category. It categorizes the risk of the system as low, medium, or high, according to confidentiality, integrity, and availability.
3. Maintain a System Security Plan
Organizations are required to create a system security plan. The plan should include an Action Plan and Milestones. The document must include security controls, milestones, and timelines for implementing any changes. Regular updating of the documents is crucial.
4. Use Security Controls
After creating a security plan, the next step is to implement security controls. NIST SP 800-53 is a list of system security controls that protect information systems. Security controls include risk assessment, the necessary training, media contingency planning, identification and authentication, personnel security, communication protection, incident response, and so on.
These controls you implement should be relevant to the systems you’re using and protecting. You don’t need to apply all NIST SP 800-53 controls, but you must ensure those you do meet security standards. Choose controls that protect your most-used system.
5. Risk Assessments
At this stage, you should assess your security controls to find process gaps. NIST SP 800-30 describes risk assessments. Everything, including people, assets, and operations has to be protected. After conducting a risk assessment, determine if you need any other data protection controls. You should check your controls to ensure everything is covered.
6. Certification and Accreditation
After tweaking your controls and completing the necessary paperwork, you must certify and accredit them to prove they work. The information system will be accredited if the review passes. NIST SP 800-37 outlines the certification process. Planning, certification, accreditation, and continuous monitoring make up the certification and accreditation process.
7. Continuous Monitoring
Finally, you should monitor security controls and systems for changes. This includes configuration management, file integrity monitoring, vulnerability scanning, and log analysis. There are tools you can use for this, such as vulnerability scanners (scan devices for entry points and vulnerabilities) or file integrity monitoring systems (verifies system files).
Who Needs FISMA?
FISMA originally applied to federal agencies but has since been expanded to state agencies implementing federal programs. For instance, state agencies managing Medicare, Medicaid, and student loans must follow FISMA. Private companies managing government contracts, providing services, or receiving grants must also comply. Private companies are often caught off guard by FISMA because they don’t realize their obligations.
This mistake can result in noncompliance penalties and financial loss. Non-compliant institutions or companies will lose federal funding and future contracts which can be devastating for private companies. The act imposes harsh penalties to ensure federal agencies and relevant private organizations protect their data.
To guarantee the safety and security of all data every government agency must comply with FISMA. The same requirement applies to any government contractor. Low FISMA scores increase the risk of leaking sensitive data. FISMA compliance helps avoid penalties and protects data.