FISMA is a comprehensive framework for protecting government operations and information against threats. It was signed into law in 2002, and last updated in 2014. It requires federal systems to meet certain security requirements.
There is no exemption for any agency, and oftentimes, it plays a crucial role in businesses’ decision-making. FISMA compliance is a complex set of security requirements and in the following, we’ll talk about the most basic and important ones. Let’s begin!
Keep an Inventory of All IT Systems
Each federal agency must maintain an inventory of all information systems it controls or operates. This includes an inventory of any links among those systems as well as connections between internal and external systems. This includes the encrypted cloud systems of an agency as well.
Categorize According to Risk Level
Agency data and IT systems are classified according to their risk level: low, medium, or high.
- Low-impact systems are generally informational and do not contain sensitive information that needs safeguarding.
- Moderate-impact systems may have sensitive information and will need to be protected more.
- High-impact systems contain information that is considered to be highly sensitive and could pose a serious risk to the U.S. government. It is necessary to categorize the agency’s encrypted cloud environment.
The National Institute for Standards and Technology (NIST), provides guidelines for mapping types of information and information systems to security categories so that companies can categorize their business accordingly.
Keep a System Security Program
Officially called a System Security Plan (or SSP), all agencies must create and maintain a plan that outlines how security controls will be implemented. The SSP should be regularly updated and include a Plan of Action and Milestones.
Use Security Controls
NIST has defined minimum federal security requirements in FIPS 200, “Minimum Security Requirements for Federal Information and Information Systems”. Based on mission requirements, agencies first choose the security controls and assurance requirements that are appropriate. Agencies then use the SSP to document the security controls and apply them accordingly.
Conduct Risk Assessments
Each agency must conduct risk assessments to validate the effectiveness of its security controls. Agency risk assessments also help determine whether additional security controls are required to protect any information or IT systems.
Accreditation and Certification
After completing documentation and risk assessments, agencies must then certify the security controls work properly. After this certification is completed, the information system can be “accredited.”
Conduct Continuous Monitoring
It’s important to conduct continuous monitoring in order to prevent information leaks. By doing so, you can identify potential security threats and take steps to mitigate them. Additionally, continuous monitoring can help you detect when sensitive information has been compromised so that you can take appropriate action.
Monitoring systems include detecting abnormalities, performing security impact assessments, assessing security controls, and reporting on status, among other things. This should be done often, and the report given should be detailed and precise.
How Can an Agency Ensure Compliance With FISMA?
There are a number of ways that an agency can ensure compliance with FISMA. First and foremost, agencies must have a robust security program in place. This program should include policies and procedures for protecting information systems and data, as well as training for employees on how to properly secure information.
A tool or a set of tools that has the following capabilities can also be used to significantly reduce the time and effort required to comply with the law:
- Find network devices and download an inventory of software and systems installed on your network.
- Verify that the devices are properly configured from a security perspective.
- Verify that security patches and system updates have been applied to all systems.
- To help detect malicious behavior or threats, monitor system logs.
- Block and quarantine suspicious or malicious activity.
- To catch system failures before they occur and not after they cause downtime, monitor the performance of the system.
These are only the most fundamental, high-level FISMA compliance requirements. There are hundreds of additional security controls. They cover everything, from the most minor technical details to program-wide decisions that impact funding, personnel security, disaster recovery plans, and data protection mechanisms.
Even low-impact systems may contain more than 100 controls. Each of these controls may be broken out into individual enhancements. FISMA strongly advises companies to follow the guidelines in order to keep all data safe and to lower the risk of information leaks at any point.