FISMA Compliance

When first created, FISMA only applied to federal agencies. The law has since evolved and now covers state agencies that administer federal programs such as unemployment insurance, student loans, Medicare, Medicaid, etc.

In addition, any contractors or private sector companies that do business with federal agencies, support federal programs, or even receive grant money, must also comply with the same information security guidelines as the federal agency they are working alongside. This includes companies such as software providers and cloud services companies.

Staying on top of FISMA requirements can help contractors and other vendors avoid having a contract cancelled, being put on the federal contractor blacklist, or even having to appear before a Congressional hearing if the security lapse is severe enough.

Government bodies, as well as contractors and subcontractors working with them must maintain compliance with NIST standards and guidelines throughout the entire time of their contract. In 2017, NIST published SP 800-171, which spells out the standards and guidelines for regulating the management of government data while it resides in, is processed by, or crosses through nonfederal information systems.

This government data is also known as Controlled Unclassified Information (CUI). While CUI is sensitive, it does not qualify as classified information. It is, however, commonly used by service providers who perform business functions for government agencies. SP 800-171 helps define how CUI is protected.

Procedures related to how data is handled, safeguarded, and controlled while it is exchanged through nonfederal systems are detailed to ensure CUI data is secured appropriately and only available to specific users who need to work with it on a specific project.

A few key areas organizations need to address to meet SP 800-171 requirements include:

• Who is authorized to view and access the data?
• Are people aware of and trained in how this information should be handled?
• How is data access accounted for and audited?
• How secure are the networks?
• Who can access the agency’s equipment, systems, and data storage?
• What is the response time for any breaches or threats to CUI?

Image

One of the most robust NIST publications set forth in accordance with FISMA is NIST SP 800-53, or the “Recommended Security Controls for Federal Information Systems and Organizations.” This special publication details the specific controls designed to support secure federal information systems and lays out best practices and global standards for maintaining confidentiality, integrity, and availability.

The framework is split into five different functions: identify, protect, detect, respond and recover. Within these functions are 20 security controls. Agencies select from these controls those that apply most to their unique requirements for low-, moderate-, or high-impact risks.

The controls address access, auditing and accountability, awareness and training, configuration management and planning, identification and authentication, incident response, maintenance, media protection, physical, risk assessment, system and information integrity, and more.

As technology has evolved, NIST SP 800-53 has been revised to cover areas like cloud computing, mobile technology, insider threats, supply chain security standards, application security, and more.

Some best practices for complying with 800-53 include:

• Identifying your sensitive data
• Classifying sensitive data
• Evaluating your cybersecurity via a risk assessment
• Documenting your policies and procedures
• Training users on cybersecurity best practices