What is FISMA Compliance? 2019 FISMA Definition, Requirements, Penalties, and More
Learn about the role of data protection in achieving FISMA compliance in Data Protection 101, our series on the fundamentals of information security.
Definition of FISMA Compliance
The Federal Information Security Management Act (FISMA) is a United States federal law passed in 2002 that made it a requirement for federal agencies to develop, document, and implement an information security and protection program. FISMA is part of the larger E-Government Act of 2002 introduced to improve the management of electronic government services and processes.
FISMA is one of the most important regulations for federal data security standards and guidelines. It was introduced to reduce the security risk to federal information and data while managing federal spending on information security. To achieve these aims, FISMA established a set of guidelines and security standards that federal agencies have to meet. The scope of FISMA has since increased to include state agencies administering federal programs like Medicare. FISMA requirements also apply to any private businesses that are involved in a contractual relationship with the government.
In April 2010 the Office of Management and Budget (OMB) released guidelines which require agencies to provide real time system information to FISMA auditors, enabling continuous monitoring of FISMA-regulated information systems.
FISMA Compliance Requirements
The National Institute of Standards and Technology (NIST) plays an important role in the FISMA Implementation Project launched in January 2003, which produced the key security standards and guidelines required by FISMA. These publications include FIPS 199, FIPS 200, and the NIST 800 series.
The top FISMA requirements include:
- Information System Inventory: Every federal agency or contractor working with the government must keep an inventory of all the information systems utilized within the organization. In addition, the organization must identify the integrations between these information systems and other systems within their network.
- Risk Categorization: Organizations must categorize their information and information systems in order of risk to ensure that sensitive information and the systems that use it are given the highest level of security. FIPS 199 “Standards for Security Categorization of Federal Information and Information Systems” defines a range of risk levels within which organizations can place their various information systems.
- System Security Plan: FISMA requires agencies to create a security plan which is regularly maintained and kept up to date. The plan should cover things like the security controls implemented within the organization, security policies, and a timetable for the introduction of further controls.
- Security Controls: NIST SP 800-53 outlines an extensive catalog of suggested security controls for FISMA compliance. FISMA does not require an agency to implement every single control; instead, they are instructed to implement the controls that are relevant to their organization and systems. Once the appropriate controls are selected and the security requirements have been satisfied, the organizations must document the selected controls in their system security plan.
- Risk Assessments: Risk assessments are a key element of FISMA’s information security requirements. NIST SP 800-30 offers some guidance on how agencies should conduct risk assessments. According to the NIST guidelines, risk assessments should be three-tiered to identify security risks at the organizational level, the business process level, and the information system level.
- Certification and Accreditation: FISMA requires program officials and agency heads to conduct annual security reviews to ensure risks are kept to a minimum level. Agencies can achieve FISMA Certification and Accreditation (C&A) through a four-phased process which includes initiation and planning, certification, accreditation, and continuous monitoring.
The Benefits of FISMA Compliance
FISMA compliance has increased the security of sensitive federal information. Continuous monitoring for FISMA compliance provides agencies with the information they need to maintain a high level of security and eliminate vulnerabilities in a timely and cost-effective manner.
Companies operating in the private sector – particularly those who do business with federal agencies – can also benefit by maintaining FISMA compliance. This can give private companies an advantage when trying to add new business from federal agencies, and by meeting FISMA compliance requirements companies can ensure that they’re covering many of the security best practices outlined in FISMA’s requirements.
Penalties for FISMA Non-Compliance
For those government agencies or associated private companies that fail to comply with FISMA there are a range of potential penalties including censure by congress, a reduction in federal funding, and reputational damage.
FISMA Compliance Best Practices
Obtaining FISMA compliance doesn’t need to be a difficult process. The following are some best practices to help your organization meet all applicable FISMA requirements. While this list is not exhaustive, it will certainly get you on the way to achieving FISMA compliance.
- Classify information as it is created: Classifying data based on its sensitivity upon creation helps you prioritize security controls and policies to apply the highest level of protection to your most sensitive information.
- Automatically encrypt sensitive data: This should be a given for sensitive information. Ideally, you should arm your team with a tool that can encrypt sensitive data based on its classification level or when it is put at risk.
- Maintain written evidence of FISMA compliance: Stay on top of FISMA audits by maintaining detailed records of the steps you’ve taken to achieve FISMA compliance.
Learn more about FISMA compliance by checking out the following resources:
The Definitive Guide to DLP
- The seven trends that have made DLP hot again
- How to determine the right approach for your organization
- Making the business case to executives
The Definitive Guide to Data Classification
- Why Data Classification is Foundational
- How to Classify Your Data
- Selling Data Classification to the Business