The Federal Information Security Management Act (FISMA) requires each federal agency, department, or bureau, or those entities which have outsourced agency business, to develop, document, and implement an agency-wide information security program. FISMA defines information security as protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability. Annual FISMA scorecard evaluations are the important measure for demonstrating a successful FISMA compliance program.
Security program standards and guidelines have been developed and published by the National Institute of Standards and Technology (NIST), and should include:
Our professionals will work closely and collaboratively with your management team to determine which sections of the FISMA standard apply to your agency, department, or bureau’s operations. Through interviews with key management and IT personnel, we can identify the controls that need to be in place to meet the FISMA compliance requirement. Once the scope of the project has been determined, we begin the FISMA Readiness Assessment.
A Readiness Assessment is a proactive approach to ensuring your security program will meet the necessary compliance and scoring requirements of the FISMA standards. Entities who are required to undergo FISMA assessments often find the first year is the most difficult. Not only do they have to comply with new audit requirements, but they need to build out their documentation and processes to comply with the standard. This is where our professionals step in. Once we have identified the scope of the project, we create a detailed document request list which includes every piece of documentation we need to perform walkthroughs. We work side-by-side with your management team and IT personnel to perform walkthroughs to verify essential security controls, programs and metrics are in place and designed effectively. Once walkthroughs have been completed, we prepare a detailed report and gap analysis which will identify which controls will pass and which controls will fail. For each failed control, we will provide remediation assistance.
Once the Readiness Assessment has been completed, we will provide a detailed gap matrix which includes specific remediation steps the client must perform to pass each control. In cases where documentation is required, we assist develop policies and procedures. Once controls have been remediated, our team will test the control to ensure it will pass. This second phase of testing is performed at no additional cost to our clients. Our vast experience in this area will create efficiencies in the remediation process, saving your company time and money.
For clients who do not require a Readiness Assessment, we can begin the FISMA compliance testing immediately. Once we have identified the scope of the project, we create a detailed document request list which includes every piece of documentation we need to perform our test procedures. This detailed document request list is sent well in advance of onsite fieldwork, saving your personnel time and creating efficiencies in the process. Once onsite, we work side-by-side with your management team and IT personnel and walk through each control requirement. Since our professionals are very experienced in FISMA compliance testing, we are able to minimize disruptions to your business operations while testing is being performed. Our testing procedures will include a mix of interviews, observations and sampling. Once test results have been compiled, we will share the results with management. We will assist management when drafting responses to any gaps which were identified during testing and draft a report for management’s review.
We will tailor the final report to suit the needs of its intended audience. If your agency, department, or bureau intends to use the report for internal purposes, we will conduct a consulting engagement and collaborate with management to determine the best reporting format for your particular needs. If the primary purpose of the report is to present the findings to external parties, we will perform an agreed upon procedures engagement and draft the report to comply with the standard reporting format.
SSAE 16 Professionals has assembled top tier leadership to help our clients through the FISMA Compliance process. For further information regarding FISMA Compliance, or to request a fee proposal from SSAE 16 Professionals, please visit our Contact Us page to submit an informational form or call 1-866-480-9485 today. We look forward to hearing from you!