Federal Information Security Modernization Act (FISMA)

What is FISMA

The Federal Information Security Modernization Act (FISMA) is a federal law that establishes a framework for protecting federal government information and operations from cyber threats. FISMA is part of the E-Government Act that was passed in 2002. It requires federal agencies and their contractors to implement and maintain security measures to protect sensitive data. FISMA applies to all federal agencies, including those that administer federal programs, as well as private businesses and service providers holding contracts with the U.S. Government.

Key FISMA requirements include:

• Information systems inventory: Agencies must maintain an inventory of all information systems used or operated by the agency or by contractors on their behalf.
• Risk Categorization: Categorize data and information systems by risk levels utilizing the FIPS 199 standard to ensure that sensitive information and the systems that hold it have the appropriate level of security.
• Security controls: Identify and implement the NIST 800-53 controls relevant to your organization, systems, and impact level.
• Risk assessments: Conduct regular risk assessments to identify vulnerabilities and threats to systems and data.
• System Security Plan (SSP): Develop and maintain a security plan that covers the implementation of security controls and policies.
• Security authorization: Conduct a security authorization process that includes assessment of controls, risk determination, and authorization decisions.
• Continuous monitoring: Agencies must continually assess and monitor the effectiveness of their security controls and systems. This includes regular risk assessments, vulnerability scans, and ongoing monitoring of system configurations.
• Incident response and reporting: Organizations must design and implement a formalized response plan. Incidents must be reported to the United States Computer Emergency Readiness Team (US-CERT).
• Third-party monitoring: Agencies must ensure that their third-party vendors that handle federal information are FISMA compliant.

FISMA relies on NIST standards to provide agencies and contractors with a path to compliance. For private contractors to demonstrate compliance, they must implement relevant NIST 800-53 security controls based on one of the Low, Medium, or High impact levels. The twenty NIST 800-53 control families contain more than 1,000 individual controls.

The Five FISMA Rules

FISMA shares the same five core requirements as NIST:

Identify: Understand the cybersecurity risks to the assets, users, data, and systems within an organization.

Protect: Implement security measures to safeguard information and systems against threats and ensure the delivery of infrastructure services.

Detect: Implement monitoring procedures to identify security incidents and changes to systems and networks.

Respond: Develop and implement policies and procedures to respond to security incidents, including containment actions.

Recover: Develop plans to restore systems and services after an incident to ensure business continuity.

Who Should Comply with FISMA?

FISMA requires federal agencies and their contractors that handle federal agency data to develop and implement information security programs that comply with FISMA. State agencies that administer federal programs, like Medicare and Medicaid, may need to adhere to FISMA requirements.

Risks of Non-compliance

Failure to comply with FISMA can result in losing federal funds. Not meeting the necessary FISMA requirements or NIST standards could increase an organization’s risk of a data breach, loss of ability to process or handle third-party data, or loss of business customers or partners. It's also important to keep in mind the possibility of PR damage to your organization and loss of brand equity.

What is the Difference Between FISMA and FedRAMP?

FISMA and FedRAMP are both federal programs designed to protect data, but they differ in scope and applicability. FISMA provides a general security framework for all federal information systems. FedRAMP is a framework designed specifically for cloud service providers (CSPs). Both standards use NIST 800-53 as a foundation, but FedRAMP includes parameters and guidance above the NIST baseline that address the unique elements of cloud computing.

What is the Difference Between FISMA and NIST?

NIST and FISMA have many similarities, as NIST frameworks serve as the foundation for FISMA. NIST is a series of voluntary frameworks (CSF, 800-53, 800-171, etc.) that provide guidance for organizations to improve their cybersecurity posture. FISMA is a federal law that requires federal agencies and contractors that handle federal data to implement NIST standards to protect that data.

What is the Difference Between FISMA and CMMC?

CMMC and FISMA are both federal programs that leverage NIST standards, but they have different audiences. CMMC is a Department of Defense (DoD) program to protect Federal Contract Information and Controlled Unclassified Information in the Defense Industrial Base. Businesses that want to win DoD contracts must comply with CMMC. FISMA is broader than CMMC, applying to all federal agencies and their contractors.

What is the Relationship Between FISMA and FIPS?

Federal Information Processing Standards (FIPS) are a core element of achieving FIMSA compliance. FISPS are developed by NIST for federal computer systems and are focused on data encryption. The standards are required for non-military government agencies and their contractors that handle confidential or sensitive data. Many private businesses in finance, healthcare, and other industries find FIPS compliance beneficial, even though it isn’t a requirement for them.

How We Can Help

Our team of experts understands how FISMA requirements can impact your data security procedures, as well as your business’s bottom line. Leverage CompliancePoint’s experience and knowledge to design, implement, and maintain a security program that will bring your organization into compliance with FISMA.

The risks of non-compliance are too high to take chances - let our experts help! Contact us at connect@compliancepoint.com to learn more about how our services can help your organization achieve its FISMA and NIST goals.