The Federal Information Security Management Act (FISMA) is a United States federal law enacted in December 2002 under the E-Government Act.
The act mandates federal agencies to develop, document and implement an information security program, considering both processes and systems controls, to “protect information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction to provide integrity, confidentiality and availability.”
FISMA was augmented in 2014 through the Federal Information Security Modernization Act (FISMA 2014), which modernized the law to address the increasing number of sophisticated cyber-attacks mounting against federal agencies.
The updates reduced the emphasis on reporting and increased the focus on real-time monitoring while also placing more significance on taking a risk-based approach to control implementation.
Who must comply with FISMA?
When FISMA first became law, it applied solely to federal agencies such as the Department of Defense (DOD), Department of Homeland Security (DHS) and so on. Since then, though, the scope has expanded.
Today, state and local agencies that manage federal programs like Medicare, Medicaid, student loans and the like must also comply with the law. At the same time, third-party contractors working with federal agencies must all comply and are subject to the same penalties for non-compliance.
The origins of FISMA
Federal agencies create, manage and store a wealth of classified information relating to national security, public health and much more. If this data were to fall into the hands of nefarious individuals, the fallout could be massive.
Acts of cyber warfare are a severe concern in today’s day and age. Downtime, ransomware attacks and fraud are significant threats that must be proactively mitigated. That’s where FISMA comes in, offering a valuable framework for federal agencies to bolster information security and reduce the risk of data exfiltration and manipulation.
Because FISMA compliance is so important, the fines for violating the act are severe. Federal agencies that fail to meet it are liable for reductions in federal funding, while contractors may lose their business and even be barred from bidding for future federal contracts.
How does NIST relate to FISMA compliance?
FISMA and the National Institute of Standards and Technology (NIST) Cybersecurity Framework are inextricably linked. Under the FISMA Implementation Project of 2003, NIST was asked to create critical resources to guide FISMA compliance, which led to the creation of NIST 800-53, FIPS 199, FIPS 200 but to name a few.
NIST also created the Risk Management Framework, which provides a comprehensive, flexible risk-based approach to selecting and managing information security controls for federal systems and assets.
Combined, the standards and guidelines create a best-in-class framework for federal agencies and contractors, empowering them to minimize cybersecurity threats while maintaining efficiency.
It’s worth noting that NIST’s resources are not a compliance checklist. Every agency is different, meaning there is no “one-size-fits-all” solution to security. The controls an organization needs to implement will vary widely depending on factors like the type of company, the nature of the data it handles, the outcomes of its risk assessments and more.
Steps to FISMA compliance
As we’ve mentioned, FISMA is nuanced; every organization that falls under the law will need to take different steps to achieve compliance in line with the nature of the risk it faces.
Saying this, all companies will need to complete some high-level steps to meet compliance, including:
- Information system inventory: Every federal agency or contractor must maintain an inventory of all information systems utilized. As well as this, companies must document any integrations between these systems and other ones on the network. NIST SP 800-18, Revision 1, Guide for Developing Security Plans for Federal Information Systems, contains valuable information on how to categorize information systems.
- Risk categorization: Organizations must categorize data and information systems based on defined risk levels to ensure appropriate controls and processes are in place, as outlined in FIPS 199 “Standards for Security Categorization of Federal Information and Information Systems”. Notably, the risk assessment methodology uses the high water mark for its impact rating, meaning even if a system scored low risk for confidentiality and integrity but high availability, the overall impact level would be high risk.
- System security plan: Agencies must produce and maintain a security plan, updating it continuously to ensure it is relevant and appropriate. The plan should consider factors like security controls, policies and a timetable for security updates.
- Security controls: Within NIST SP 800-53, there is a substantial catalog of security controls for FISMA compliance. Organizations don’t need to implement every control. Rather, they must implement the controls that are relevant to their systems. Once selected and implemented, organizations must note the controls they’ve selected in their system security plan.
- Risk assessment: FIPS 200 and NIST SP 800-53 work together to create a foundational risk management framework. The consequent risk assessment assesses whether an organization’s chosen security controls are sufficient and if any further controls should be implemented.
- Certification and accreditation: Following the risk assessment, agencies are required to conduct annual security reviews to prove they are maintaining an appropriate level of security. NIST SP 800-37 Guide for the Security Certification and Accreditation of Federal Information Systems has detailed guidance on this step.
- Continuous monitoring: All FISMA-accredited systems must monitor implemented security controls continuously and document any updates to the system. Large updates will require a new risk assessment and possibly recertification, depending on the scale of the changes.
FedRAMP vs FISMA
FISMA and FedRAMP both share the same overarching goals of securing government information and reducing information security risk. However, while FISMA focuses on compliance for information systems, FedRAMP is concerned with the cloud.
The regulation sets out requirements for cloud service providers (CSPs), designed to make procuring cloud services more standardized and simple for government agencies. Once a CSP meets FedRAMP, a federal agency knows its services are secure to use.
Benefits of FISMA Compliance
For federal agencies and contractors, meeting FISMA is a necessity. As we’ve mentioned, the penalties for non-compliance are grave, so taking this regulation seriously is a must.
Beyond that, though, implementing FISMA also unlocks a range of consequence benefits, including:
- Improved data security and cybersecurity resilience
- A reduction in the likelihood of data breaches
- Enhanced efficiency, leading to reduced IT costs
Is FISMA difficult to obtain?
As with any regulation, meeting FISMA requires time and dedication. Your organization will need to put effort into documentation, assessments and reporting, as well as invest in the necessary security controls.
Saying this, there are some actions you take to simplify the process. Namely:
- Classify sensitive data in real-time: Data classification has come a long way in recent years. Rather than manually classifying information, invest in a solution that helps you to classify sensitive data as its created. This will save you a lot of time while also improving security outcomes.
- Automatically protect sensitive data: You don’t want to leave any of your sensitive information vulnerable to compromise or theft. Empower your security team with a solution that automatically protects sensitive data from the offset across your systems and applications.
- Invest in auditing aids: To meet FISMA’s real-time reporting requirements, you’ll need a tool that automatically creates appropriate compliance records, showing the steps you’ve taken to meet and maintain FISMA compliance.
Meet FISMA compliance with Polymer DLP
FISMA compliance doesn’t have to slow your company down. Polymer data loss prevention (DLP) is a cloud-based data classification and protection solution for securing sensitive data in the cloud apps employees use daily. Here’s how we can help you supercharge FISMA compliance.
- Discover your sensitive information: Using the power of natural language processing (NLP) and automation, our tool autonomously discovers and inventories your high-risk data.
- Intelligent classification: Polymer DLP autonomously classifies and inventories federal and high-risk information, with no need for manual intervention.
- Determine and alleviate risk in real-time: Our engine autonomously analyses user interactions using contextual factors to grant or prohibit access to sensitive data.
- Achieve FISMA compliance reporting requirements: Polymer DLP produces real-time reporting on the risks to your organization based on event monitoring. Any policy violation is tracked, alerted and automatically remediated without human intervention. Compliance teams are notified of any high-risk incidences.
Try Polymer DLP for free today. Start with a free risk scan to assess what sensitive data could be at risk in your cloud apps.