What is FISMA?
FISMA stands for the Federal Information Security Management Act. FISMA compliance requires federal agencies to implement information security plans to protect sensitive data.
FISMA also spawned the creation of the National Institute of Standards & Technology (NIST), which is the organization that develops and releases guidance on cybersecurity best practices and standards. To become compliant with FISMA, organizations should follow the cyber security frameworks set forth by NIST 800-53 and NIST 800-171 as well as the primary FISMA requirements listed below.
Who Should Comply With FISMA?
FISMA compliance is required for any organizations/projects that handle federal data.
Examples of types of organizations that would be required to follow standards set forth by FISMA include: federal agencies, state agencies implementing federal programs, contractors or other private businesses with access to federal data.
FISMA Compliance Primary Requirements
- Create an Inventory of Information Systems: FISMA outlines a framework for overseeing data security that must be adhered to for all information systems used. An inventory of information systems controlled by each agency must be taken.
- Categorize Each Risk: Risk is categorized in three levels according to the amount of overall adverse impact that would be experienced if data is compromised: low impact, moderate impact, and high impact. Your compliance partner can help you with appropriate classifications, however you can get an idea of the risk level based on the data’s susceptibility to alteration in terms of confidentiality (preservation of authorized restrictions), integrity (accuracy of data), and availability (timely and reliable access).
- Define Security Controls: Controls should be put in place following the framework outlined in NIST 800-53.
- Create a System Security Plan: A security plan should be written, executed, and updated regularly to ensure the protection of data and minimize the chance of vulnerabilities.
- Assess Threats and Vulnerabilities to the System: Risk assessments are also a valuable tool for FISMA compliance as they allow the ability to identify and patch threats and vulnerabilities. This also allows the opportunity to add any necessary controls to prevent similar future vulnerabilities.
- Achieve Certification and Accreditation: Annual reporting and independent risk assessments (contact us if you’re in need of a risk assessment) are required in order to achieve and maintain FISMA certification and accreditation.
Initiating FISMA Compliance
As mentioned above, a good starting point for achieving FISMA compliance is following the guidelines set forth in the NIST 800 series documents. Following these requirements will help get you started in the right direction and set a good foundation for FISMA compliance
If you have any questions, concerns, or need assistance regarding FISMA compliance, Red Lion are available to help. Our security compliance professionals have a wide variety of experience and are fully capable of handling the needs of all clients regardless of company size or industry.
Let Red Lion Assist in your FISMA Compliance
Do you still have questions regarding FISMA? Our compliance professionals can help you to understand and comply with the FISMA, regardless of complexity.
Contact Us Today