FISMA Compliance Solutions | HelpSystems
FISMA Compliance

FISMA Compliance

Meet FISMA compliance requirements with solutions from HelpSystems

What is FISMA Compliance?

The Federal Information Security Management Act (FISMA), signed into law in 2002, requires security guidelines be implemented to help protect and reduce the security risk of sensitive federal data. It requires all federal agencies to protect and support their operations by developing, documenting, and implementing a comprehensive information security plan. All agencies within the U.S. federal government, as well as some state agencies, and any private sector organization in a contractual relationship with the government are bound by these FISMA compliance regulations.

By Congressional amendment in 2014, the Federal Information Security Modernization Act, Public Law 113-283, brought FISMA closer in line with current information security concerns. Federal agencies are now encouraged to use more continuous monitoring and to focus more heavily on compliance.

Evaluation of FISMA compliance is reported by agencies annually to the Office of Management and Budget (OMB), and each FISMA Report Card is available to the public.

Who Needs to Be FISMA Compliant?

FISMA Compliance

When first created, FISMA only applied to federal agencies. The law has since evolved and now covers state agencies that administer federal programs such as unemployment insurance, student loans, Medicare, Medicaid, etc.

In addition, any contractors or private sector companies that do business with federal agencies, support federal programs, or even receive grant money, must also comply with the same information security guidelines as the federal agency they are working alongside. This includes companies such as software providers and cloud services companies.

Staying on top of FISMA requirements can help contractors and other vendors avoid having a contract cancelled, being put on the federal contractor blacklist, or even having to appear before a Congressional hearing if the security lapse is severe enough.

NIST Standards & Compliance

What are NIST Standards?

The National Institute of Standards and Technology (NIST) is a non-regulatory agency that has issued specific guidance for government bodies as well as their contractors, for complying with FISMA.

Achieving FISMA compliance requires organizations seeking government contracts to look intensely at their networks and cybersecurity procedures to ensure they meet the appropriate security requirements contained in NIST’s special publications, most notably, NIST SP 800-171 and NIST SP 800-53.

Specifically, NIST:

Minimum Requirements

Sets the minimum requirements for information security plans and procedures.

Security Systems

Recommends the types of security systems, software, etc., that agencies need to implement and approves the vendors for them.

Risk Assessment

Standardizes the risk assessment process and, depending on agency risk assessments, sets varying standards of information security.

NIST SP 800-171

FISMA Compliance

NIST SP 800-171

Government bodies, as well as contractors and subcontractors working with them must maintain compliance with NIST standards and guidelines throughout the entire time of their contract. In 2017, NIST published SP 800-171, which spells out the standards and guidelines for regulating the management of government data while it resides in, is processed by, or crosses through nonfederal information systems.

This government data is also known as Controlled Unclassified Information (CUI). While CUI is sensitive, it does not qualify as classified information. It is, however, commonly used by service providers who perform business functions for government agencies. SP 800-171 helps define how CUI is protected.

Procedures related to how data is handled, safeguarded, and controlled while it is exchanged through nonfederal systems are detailed to ensure CUI data is secured appropriately and only available to specific users who need to work with it on a specific project.

A few key areas organizations need to address to meet SP 800-171 requirements include:

  • Who is authorized to view and access the data?
  • Are people aware of and trained in how this information should be handled?
  • How is data access accounted for and audited?
  • How secure are the networks?
  • Who can access the agency’s equipment, systems, and data storage?
  • What is the response time for any breaches or threats to CUI?

NIST 800-53

NIST 800-53

One of the most robust NIST publications set forth in accordance with FISMA is NIST SP 800-53, or the “Recommended Security Controls for Federal Information Systems and Organizations.” This special publication details the specific controls designed to support secure federal information systems and lays out best practices and global standards for maintaining confidentiality, integrity, and availability.

The framework is split into five different functions: identify, protect, detect, respond and recover. Within these functions are 20 security controls. Agencies select from these controls those that apply most to their unique requirements for low-, moderate-, or high-impact risks.

The controls address access, auditing and accountability, awareness and training, configuration management and planning, identification and authentication, incident response, maintenance, media protection, physical, risk assessment, system and information integrity, and more.

As technology has evolved, NIST SP 800-53 has been revised to cover areas like cloud computing, mobile technology, insider threats, supply chain security standards, application security, and more.

Some best practices for complying with 800-53 include:How Data Classification Helps

  • Identifying your sensitive data
  • Classifying sensitive data
  • Evaluating your cybersecurity via a risk assessment
  • Documenting your policies and procedures
  • Training users on cybersecurity best practices

FISMA Compliance Tools from HelpSystems

Managed File Transfer and FISMA Compliant File Transfer

Ensuring that file transfers performed under the guidelines of FISMA are secure is an essential step towards FISMA and NIST compliance. Several of the NIST SP 800-53 controls can be addressed through a managed file transfer (MFT) solution, such as GoAnywhere MFT, which includes:

cybersecurity Created with Sketch.

Data Protection

Data protection and encryption during file transfer processes, ensuring security of data at rest and in transit

cybersecurity Created with Sketch.

Access Control

Access control to limit data access to only those necessary

cybersecurity Created with Sketch.

Auditing Logs

Auditing logs and reporting to efficiently provide data needed for annual FISMA audits

Start Your Journey toward FISMA Compliance

HelpSystems provides government agencies, as well as private sector organizations with the robust solutions needed to achieve and maintain FISMA compliance. One of our experts can help you explore the solutions that are right for you.