Federal Information Security Modernization Act Compliance

What is FISMA?

The E-Government Act (Public Law 107-347), passed by the 107th Congress and signed into law by the President in December 2002, recognized the importance of information security to the economic and national security interests of the United States. Title III of the E-Government Act, entitled the Federal Information Security Management Act of 2014 (FISMA 2014), aims to protect the information and information systems held by or on behalf of Federal agencies from unauthorized access, use, disclosure, disruption, modification, or destruction.

Several federal agencies play a role in implementing FISMA, most notably;

  • National Institute of Standards and Technology (NIST) develops minimum security standards for federal information and information systems,

  • Office of Management and Budget (OMB) oversees and enforces agency compliance with the law and security standards, and

  • Department of Homeland Security (DHS) oversees the government-wide and agency-specific implementation of and reporting on cybersecurity policies and guidance.

Who is required to comply with FISMA?

Each federal agency must develop, document, and implement an agency-wide program to provide information security for the information and systems that support the operations and assets of the agency (i.e., information systems that process or store federal data), including those provided or managed by another agency, contractor, or other sources on behalf of a federal agency.

Not sure if you are required to comply? FISMA requirements are typically included in purchasing and contractual documents with federal agencies as a specific requirement or with the following requirement statements:

  • System Security Plan (SSP)

  • Authority to operate

  • OMB A130

  • FIPS 199

  • Comply with all applicable NIST standards

How to comply with FISMA

Federal agency and organization that processes or stores federal data are required assess, design, and implement security controls that adequately protect the federal data stored or processed within their operating environment, including but not limited to:

  • Develop an information security program which include the following:

    • A detailed System Security Plan (SSP) and Plans of Actions and Milestones (POA&M)

    • Information security policies and procedures

    • Information system contingency plans

    • Incident response plan that includes security incident reporting process

    • Information security training plans

    • Security program testing and evaluation of results

  • Implement procedures to report the status of their information security programs with remedial action requirements

  • Perform an annual independent evaluation of the information security program to determine the effectiveness of policies, programs, and practices

  • Report incidents to appropriate entities and consult with others about mitigating the risks of identified and perceived threats

At Secliance, we help organizations accelerate the time it takes to become and maintain FISMA compliance - saving time, money, and unnecessary frustrations.

Implementation tips

FISMA compliance is a continuous process to enhance and transform the state of cybersecurity within the organization and not a project with a start and end date.

  • Understand the FISMA compliance requirements for respective products and services (the “why” and “what”)

  • Get executive leadership buy-in and commitment

  • Spend time accurately defining the system boundary or authorization boundary

  • Select and document the SSP based on the sensitivity requirement. NOTE: The SSP should be;

    • clear - the assessor should be able to understand how the control functions to mitigate risk,

    • concise - the content should be relevant and to the point,

    • consistent - people, processes, and technology should be referred to by the same name or description, and

    • complete - should include all applicable sections, answer - who, what, when, and how.

  • Document and maintain a POA&M. This is a living document that describes the current status of any specific weaknesses or deficiencies in the security controls and helps in risk management and prioritization of resources

Having an experienced committed resource is key to managing FISMA compliance goals within scope, cost, and time.

How we can help…

At Secliance, we want to make sure every project we work on is successful - that is why we follow a straightforward process to guide you through the FISMA compliance process. The duration and level of effort required in some of these steps greatly depend on the maturity of your security program. Each client is assigned a dedicated FISMA expert from beginning to end.

FISMA Compliance Process

Do you have questions about FISMA compliance? Contact Stella Bridges at stella.bridges@secliance.com for a free strategy session.