FISMA

Federal Information Security Management Act (FISMA) Compliance

Overview

The Federal Information Security Management Act (FISMA) requires each federal agency, department, or bureau, or those entities which have outsourced agency business, to develop, document, and implement an agency-wide information security program. FISMA defines information security as protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability. Annual FISMA scorecard evaluations are the important measure for demonstrating a successful FISMA compliance program.

Security program standards and guidelines have been developed and published by the National Institute of Standards and Technology (NIST), and should include:

  • Inventory of information systems: FISMA requires that agencies have in place an information systems inventory. The identification of information systems in an inventory under this subsection shall include an identification of the interfaces between each such system and all other systems or networks, including those not operated by or under the control of the agency.
  • Categorize information and information systems according to risk level: All information and information systems should be categorized based on the objectives of providing appropriate levels of information security according to a range of risk levels.
  • Security controls: Federal information systems must meet the minimum security requirements required by the FISMA legislation, namely FIPS 200 “Minimum Security Requirements for Federal Information and Information Systems”.
  • Risk assessment: A risk assessment starts by identifying potential threats and vulnerabilities and mapping implemented controls to individual vulnerabilities. One then determines risk by calculating the likelihood and impact that any given vulnerability could be exploited, taking into account existing controls.
  • System security plan: Agencies should develop policy on the system security planning process. System security plans are living documents that require periodic review, modification, and plans of action and milestones for implementing security controls.
  • Certification and accreditation: Once the system documentation and risk assessment has been completed, the system’s controls must be reviewed and certified to be functioning appropriately. Based on the results of the review, the information system is accredited. The certification and accreditation process is defined in NIST SP 800-37 “Guide for the Security Certification and Accreditation of Federal Information Systems”.
  • Continuous monitoring: Continuous monitoring activities include configuration management and control of information system components, security impact analyses of changes to the system, ongoing assessment of security controls, and status reporting.

Project Scoping

Our professionals will work closely and collaboratively with your management team to determine which sections of the FISMA standard apply to your agency, department, or bureau’s operations. Through interviews with key management and IT personnel, we can identify the controls that need to be in place to meet the FISMA compliance requirement. Once the scope of the project has been determined, we begin the FISMA Readiness Assessment.

FISMA Readiness Assessment

A Readiness Assessment is a proactive approach to ensuring your security program will meet the necessary compliance and scoring requirements of the FISMA standards. Entities who are required to undergo FISMA assessments often find the first year is the most difficult. Not only do they have to comply with new audit requirements, but they need to build out their documentation and processes to comply with the standard. This is where our professionals step in. Once we have identified the scope of the project, we create a detailed document request list which includes every piece of documentation we need to perform walkthroughs. We work side-by-side with your management team and IT personnel to perform walkthroughs to verify essential security controls, programs and metrics are in place and designed effectively. Once walkthroughs have been completed, we prepare a detailed report and gap analysis which will identify which controls will pass and which controls will fail. For each failed control, we will provide remediation assistance.

Remediation Assistance

Once the Readiness Assessment has been completed, we will provide a detailed gap matrix which includes specific remediation steps the client must perform to pass each control. In cases where documentation is required, we assist develop policies and procedures. Once controls have been remediated, our team will test the control to ensure it will pass. This second phase of testing is performed at no additional cost to our clients. Our vast experience in this area will create efficiencies in the remediation process, saving your company time and money.

FISMA Compliance Testing

For clients who do not require a Readiness Assessment, we can begin the FISMA compliance testing immediately. Once we have identified the scope of the project, we create a detailed document request list which includes every piece of documentation we need to perform our test procedures. This detailed document request list is sent well in advance of onsite fieldwork, saving your personnel time and creating efficiencies in the process. Once onsite, we work side-by-side with your management team and IT personnel and walk through each control requirement. Since our professionals are very experienced in FISMA compliance testing, we are able to minimize disruptions to your business operations while testing is being performed. Our testing procedures will include a mix of interviews, observations and sampling. Once test results have been compiled, we will share the results with management. We will assist management when drafting responses to any gaps which were identified during testing and draft a report for management’s review.

FISMA Compliance Reporting

We will tailor the final report to suit the needs of its intended audience. If your agency, department, or bureau intends to use the report for internal purposes, we will conduct a consulting engagement and collaborate with management to determine the best reporting format for your particular needs. If the primary purpose of the report is to present the findings to external parties, we will perform an agreed upon procedures engagement and draft the report to comply with the standard reporting format.

Resources

SSAE 16 Professionals has assembled top tier leadership to help our clients through the FISMA Compliance process. For further information regarding FISMA Compliance, or to request a fee proposal from SSAE 16 Professionals, please visit our Contact Us page to submit an informational form or call 1-866-480-9485 today. We look forward to hearing from you!