Understanding FISMA Compliance
What is FISMA compliance and why is it important?
The Federal Information Security Management Act (FISMA) is a federal law passed in 2002 and amended in 2014 that required federal agencies to develop and maintain systems and processes that support Information Security.
Different responsibilities required by the law are assigned to The National Institute of Standards and Technology (NIST), the Office of Management and Budget (OMB), and various federal agencies. FISMA and NIST set the standards for compliance that organizations must follow.
FISMA compliance is important because it strengthens information security on a federal level, protecting critical data, and because non-compliance has significant effects.
Key components of FISMA compliance
FISMA compliance has several components. Continuous monitoring and assessments are required, as are the development of a System Security Plan (SSP) that delineates the policies and procedures that will be followed to secure sensitive information.
Other components include conducting risk assessments and implementing baseline security controls, along with reporting standards for breaches. FISMA guidelines can be broken into seven topic sections, and by compiling these into a checklist, organizations can use these guidelines to ensure up-to-date security practices and a strong security posture.
For more on these specific guidelines and what measures are required for compliance, click here.
How FISMA compliance protects sensitive data
FISMA compliance, rules, recommendations, and guidelines keep data safe in government systems. Not only must federal agencies comply, but so must suppliers, vendors, third-party service providers, and government contractors.
This protects sensitive data because each entity is on the same page, working towards the same goals, with the objective of keeping data safe and out of the hands of criminals.
Meeting FISMA Compliance Requirements
Understanding the specific requirements of FISMA compliance
FISMA compliance requires adherence to a specific set of requirements with the objective of protecting what cybersecurity professionals know as the CIA triad: the confidentiality, integrity, and availability of data.
In essence, data confidentiality, availability, and integrity must be protected at all times. Data must be confidential as appropriate, data's integrity must be protected, and it must be whole and complete. Data must also be available to those who need it while unavailable to those who don't. This triad is the foundation of information security.
This means creating agency-wide programs to meet the needs of FISMA and NIST standards, having policies for addressing various risks and continuously monitoring risks, utilizing security controls appropriately, and performing monitoring and annual reviews.
Specifically, this means ensuring an organization is continuously monitoring and conducting reviews at least annually, as well as performing risk assessments, documenting controls, and meeting at least minimum security requirements. It also means an organization must perform risk categorization according to the material in FIPS Publication 199 from NIST. With this method, risks are categorized into low, moderate, or high and evaluated as such, ensuring risks are addressed in the appropriate order.
FISMA compliance often also means ensuring that federal employees maintain certifications and organizations maintain accreditation.
Implementing security controls and safeguards
We’ve talked about how FISMA requires implementing security controls and safeguards. Now let’s see what some of those are. NIST SP 800-53 Rev. 5 lays out the specific guidelines for a minimum, or baseline, standard for security and privacy controls.
In cybersecurity, controls are measures taken to prevent security incidents. These can be physical (such as a lock or a camera) or these can be technical, like multi-factor authentication or a firewall. NIST lays out specific strategies that should be used as a “starting point” in information security– a means of maintaining at least a baseline security posture.
Conducting regular risk assessments and audits
A critical component of FISMA compliance is conducting regular risk assessments and audits.
This is important because a risk assessment allows for a fuller understanding of what could go wrong, and an audit allows for a fuller understanding of what is going wrong.
Risk assessments and audits make everyone more secure, creating an atmosphere of coordinated effort toward information security, one that contributes to the overall health of the organization.
The Benefits of FISMA Compliance
Enhanced data protection and security
Everyone wins when enhanced data protection and security are met as an objective. This is especially true of federal agencies and organizations, as well as their vendors and contractors since federal agencies have access to critical data that has the potential for enormous impact if misused or misplaced.
FISMA compliance creates an environment in which all members are focused on the same goal: information security.
Improved public trust and reputation
It’s no secret that compliance leads to improved public trust and reputation. Citizens everywhere rely on the government to keep them safe and to keep their affairs in order. Federal agencies have a particularly important role in maintaining trust, especially when it comes to securing personal data.
FISMA compliance is a means of maintaining that trust and preserving the reputation of various federal agencies in whom people have placed their confidence and with whom people have shared data.
Meeting regulatory obligations and avoiding penalties
There is no organization more concerned with cybersecurity and the security of data and information than the Department of Defense (DoD.)
The implementation of FISMA ensures that the DoD can continue to accomplish its mission, so fines and penalties for not meeting regulatory obligations can be very impactful to an organization.
Some of these penalties include the loss of federal funding, censure from federal contracts, and severe reputational damage. In addition, not complying with FISMA ensures a less secure cybersecurity posture and therefore a malfunctioning system infrastructure. Partners, vendors, and contractors who aim to work with the federal government will incur penalties if they do not comply.
Who Needs to Follow FISMA Compliance?
Organizations and agencies subject to FISMA regulations
FISMA compliance applies specifically to federal agencies and the vendors, partners, and contractors that work with them. If a private company handles sensitive federal information, they are also required to comply, along with state and local agencies who receive any federal funding.
While other organizations are not necessarily subject to FISMA, ensuring compliance maintains a stronger cybersecurity posture and creates avenues of opportunity for future networking and cooperation.
Specific industries and sectors affected by FISMA requirements
Anyone involved in the nation’s defense in any way is required to be FISMA compliant. Additionally, there are specific industries and sectors affected by FISMA requirements.
Some of these include Medicaid, Medicare, and unemployment insurance, among many others.
Determining if your organization falls under FISMA compliance
So how do you determine if your own organization falls under FISMA compliance? There are many ways to intersect with FISMA, to learn best practice security controls, and to access education about your obligation to comply and how to do it.
FISMA certifications meet this purpose of developing expertise in compliance, and there are also specialists who can help ensure compliance. Because the nature of FISMA compliance revolves around meeting regulations and obtaining education about best practices, there are a couple of different ways to go about this.
First, FISMA provides guidance: all government agencies, with no exceptions, fall under FISMA. In addition, any third-party vendors and government contractors also fall under FISMA. Second, FISMA provides certification and resources to assist organizations in becoming compliant and understanding the effects of non-compliance, as well as definitions surrounding who is and is not affected.
Ensuring FISMA Compliance Best Practices
Developing a comprehensive security plan
FISMA requires the development of a comprehensive security plan and guidance for how to go about it. One useful tool is a FISMA compliance checklist, which includes seven steps to help organizations establish a security plan and remain in compliance.
Another is NIST SP 800-53, a publication from the National Institute of Standards and Technology, which outlines the standards by which a security plan should operate. The plan in question should meet baseline security controls as established by FISMA and include system risk categorization so that vulnerabilities and potential issues can easily be addressed.
Training employees on security awareness
Once a comprehensive security plan has been established, it is critical to train employees on security awareness and to develop ongoing training to ensure compliance standards are met.
This can be done in a few different ways. Many organizations provide programs and curricula to assist employees in obtaining and retaining knowledge around security best practices. This can be done via courses and workshops, regular meetings, and even by testing employee responses to known threats and/or fake phishing emails and then providing individual counseling to increase their education and awareness.
It is also good to provide a means by which employees themselves can report security concerns or get questions answered. As security is a culture, it is helpful to maintain both a strong security posture and a culture of compliance and education around FISMA regulations.
Continuous monitoring and incident response
An important step in FISMA compliance is to ensure that both the comprehensive security plan is followed and that employee training is effective by taking action to continuously monitor for security issues. It always provides a method for response when incidents occur.
Again, FISMA provides guidance for doing so in a compliant way, and this includes both a set of guidelines for how a continuous monitoring operation should look, as well as how to respond to security incidents.
Knowing how to monitor, respond, document and modify the plan to diminish vulnerable attack surface is as important as establishing the plan and teaching employees their part. Some examples of this might be compliance with key requirements of FISMA like conducting required annual reviews of security systems and programs or keeping risks at or below specific accepted levels.
Any changes in the original plan should be documented in the Security and Privacy Plan (SSPP) and readily available so that a faster and more efficient response to security breaches is possible.
Penalties for FISMA Non-Compliance
Understanding the consequences of non-compliance
Since FISMA compliance is a requirement without exception for all federal agencies, vendors, and contractors, one major consequence of non-compliance is the loss of government contracts, as well as potential funding cuts from the Federal government. A more obvious consequence is a severely lacking security posture and an increase in security events and breaches. FISMA guidelines provide a framework for best-practices, and this means that an organization in a non-compliant state is also not secure.
FISMA certification helps ensure the continuity of FISMA-compliant practices within an organization. To become certified, one year of FISMA compliance is a requirement. After that, key organization players can register for the FISMA certification exam, and conduct annual security reviews, following the 4 key processes extracted from NIST SP 800-37 to move towards accreditation: initiation and planning, certification, accreditation, and continuous monitoring.
Financial penalties and legal implications
It’s important to understand that FISMA compliance will also help organizations to avoid financial penalties and legal implications. In addition to the possibility of losing government funding, government contracts, and of a tarnished reputation, FISMA non-compliance can result in required participation in government hearings, costing time and money for organization members, as well as other legal requirements related to the hearing.
Steps to take in case of a compliance violation
So, what do you do if you suspect a FISMA violation has occurred?
Start by clearly identifying and documenting the violation, reporting the incident to the correct authorities in the situation (an IT team, cybersecurity team, or Chief Information Officer), and contain the violation so that the breach does not spread or create a larger incident.
You’ll then need to assess the impact, and let external authorities know if they were impacted and the violation was severe. Some examples might be the Department of Homeland Security or the Office of Management and Budget, depending on the type of violation.
Lastly, once remediation and recovery have begun, it’s also important to review and update any policies currently in place to ensure continuity and then to begin the monitoring and auditing process anew.
Meet FISMA Requirements with LastPass
Compliant password management system
LastPass is a useful tool to assist with meeting FISMA requirements, as well as an important ally in the fight to remain vigilant against all forms of cybercrime.
LastPass provides a FISMA-compliant password management system, designed to assist users with password management and ultimately reduce the attack surface of any organization.
Risk mitigation
Using LastPass, it is easy to identify and address sensitive passwords in the vault that are considered at-risk. LastPass users can view at-risk passwords – ones that may be weak, missing, or reused — on demand.
This makes the process of changing passwords as needed essentially foolproof. Because LastPass provides a security score for users, risk mitigation becomes easier.
Control of access
The goal of access control within a security context is to begin with the most important task: keeping unauthorized users out of an organization’s data and resources. These policies and procedures can both verify that users are indeed who they say they are and manage the levels of access each user receives. LastPass assists with both of these by ensuring a compliant means of storing and managing passwords and verifying accessibility.
Incident response
LastPass helps with FISMA-compliant incident response through several features. An organization using LastPass receives the benefits of these features, which include detection and monitoring, containment and mitigation, communication and transparency, security enhancements following an incident, and collaboration with authorities to investigate and identify cybercriminals.
Set and enforce password requirements
Using LastPass makes it easy to set and enforce password requirements. Creating unique and strong passwords is the frontline of defense, and LastPass makes it easy to meet this requirement by providing a built-in password generator, making passwords harder to crack.
LastPass also stores these passwords securely, provides ease of use to avoid cutting corners on secure practices, and even helps with auto-filling forms securely so that credentials are never used on unsafe websites.
