Making Sense of FISMA Compliance

shutterstock_1122575237

Government-affiliated entities and organizations continue to be targets for IT security as they handle both classified government information and a wealth of personal and financial information pertaining to civilians. With the number of security threats on the rise globally, reducing potential security risks and threats and understanding the Federal Information Security Management Act (FISMA) has never been more important.

Why was FISMA compliance created?

FISMA became U.S. law as part of the larger E-Government Act of 2002. It defines a framework of requirements to secure the operations of federal agencies in a connected world. The law was further updated in 2014 as the Federal Information Security Modernization Act. The details of FISMA compliance have evolved from a body of NIST Special Publications and other risk and security standards into the NIST Risk Management Framework (RMF).

The growth of desktop computing, and the increasing use of computer networks required a comprehensive approach to securing digital resources across federal agencies. FISMA made into law a set of minimum requirements for security, as well as specific responsibilities. The act outlines requirements for agencies within the federal government to:

  • Plan for security
  • Ensure that appropriate officials are assigned security responsibility
  • Periodically review the security controls in their systems
  • Authorize system processing and operations

These requirements established common guidelines for security, emphasized accountability, as well as the review of security processes.

 

Who needs to follow FISMA compliance?

The processes and procedures for implementing FISMA are a key element of the NIST Risk Management Framework. This risk-based approach for implementation has integrated security into daily agency activities, as well as defined how information systems are to be built and maintained. Though the original scope of the law was specific to federal agencies, FISMA’s scope has evolved as the law has become integrated within agency operations.

NIST and FISMA

The implementation of FISMA within the NIST Risk Management Framework (RMF) has extended it to both state agencies that manage federal programs, as well as companies with federal agency contracts. This broadening of compliance acknowledges that the security of federal agencies and systems extends to all stakeholders that are part of building, running, and working with federal systems. Any organization relying on federal funds is required to be FISMA compliant.

And federal agencies themselves are not immune from scrutiny when it comes to compliance. A May 2019 article from The National Law Review details the U.S. Department of Health & Human Services’ deficiencies in data protection and privacy. Specifically, the article cited the Data Protection and Privacy section of the Report that “indicated that there were weaknesses in the security controls for protecting personally identifiable information (PII) and other agency sensitive data throughout the data lifecycle.”

HHS is unfortunately in good company as FedScoop points out:

Federal agencies reported 35,277 information security incidents to the Department of Homeland Security in fiscal 2017.

How do I become FISMA compliant?

FISMA compliance begins at the implementation of the security controls and RMF standards developed by NIST. The NIST SP 800-53 outlines the specifics of federal standards for building and running information security systems.

This includes defining key building blocks for identity management, authorization and authentication, and other access control concepts. In addition to the NIST 800-53, the FIPS 199 and FIPS 200 publications provide standards for security categorization and minimum-security requirements, respectively. Adherence to these published standards within the RMF will typically involve demonstration or attainment of the following:

  • Information Systems Inventory
    • Maintain an inventory of all systems, and their integrations
  • Risk Categorization (FIPS 199)
    • Categorize and document information, and information systems by impact
      • Confidentiality
      • Integrity
      • Availability
    • System Security Plan
      • Document and implement a security plan and process
      • Establish a regular review process for updates
    • Security Controls (NIST 800-53)
      • Demonstrate and document the implementation of the security controls defined within the publication
    • Risk Assessments
      • Produce a tiered risk assessment via the NIST RMF for information system changes
    • Certification and Accreditation
      • Annual security reviews to demonstrate FISMA compliance
      • Security reviews apply to federal and state agencies, as well as companies with federal contracts

Established FISMA Compliance Best Practices

Staying compliant with FISMA can help to ensure the implementation and maintenance with the relevant RMF guidelines. A necessary prerequisite for FISMA compliance is the information systems inventory. This living documentation provides the capability to perform further risk categorization, security planning, and the implementation of security controls, as FISMA compliance works best as a part of planning and implementing any changes during the lifetime of a system.

  • Maintain a regularly updated information systems inventory
    • Enables risk categorization
    • Maintenance of security plans
    • Implementation of security controls
  • Conduct regular risk assessments to evaluate security controls
    • Perform risk categorization
    • Validate current security controls
    • Determine if new security controls are necessary
  • Stay current on legislation and industry standards. As was the case with the HHS, there were significant weakness related to personnel training, including new recruits. A March 2018 article in HIPAA Journal summed up the situation: “While the number of employees that had not been sufficiently trained was low, those individuals pose a considerable risk to the security of HHS systems and network.” Recognizing HHS’s failure in these areas, prioritize the following:
    • NIST RMF updates
    • Privacy and data protection
    • Security best practices
  • Maintain continuous monitoring. Security controls need monitoring on a continuous basis for  
    • System Integrity (SI)
    • Configuration Management (CM)
    • Incident Response (IR), and
    • Audit (AU) categories

Integrity Monitoring for FISMA Compliance

A file system and integrity monitoring software  can assist with keeping organizations compliant under the 800-53 federal guidelines. In additional to helping with control objectives and the mapping of NIST 800-171 controls to NIST 800-53 security requirements, a file system and integrity monitoring tool can provide a complete audit trail for Audit and Accountability.

Learn more about how CimTrak helps with NIST 800-53  security controls and compliance today.

FISMA and 800-53 Rev.4 Security Controls Solution Brief

 

 

Jacqueline von Ogden

Since 1999, Jacqueline has written for corporate communications, MarCom agencies, higher education, and worked within the pharmacy, steel and retail industries. Since joining the tech industry, she has found her "home".