What is FISMA Compliance?
FISMA compliance is compliance with applicable standards and guidelines developed by the National Institute of Standards and Technology (NIST) following the passage of the Federal Information Security Management Act of 2002 (FISMA). FISMA compliance is mandatory for federal agencies, state and local government agencies in receipt of federal funding, and service providers working with federal, state, and local government agencies,
When FISMA was passed in 2002, it required all federal agencies to develop, document, and implement an agency-wide program to provide information security for the information and systems that support the operations and assets of the agency. The requirements also applied to information and systems provided or managed by third party service providers, and was later extended to include state and local government agencies in receipt of federal funding.
To support covered entities in meeting the FISMA compliance requirements, FISMA authorized NIST to develop standards and guidelines to protect federal information and information systems. NIST subsequently published a suite of information security risk management standards and guidelines which should be used as a repeatable 7-step program to meet the requirements of FISMA and the Federal Information Security Modernization Act of 2014.
The 7 FISMA Compliance Requirements
Because different agencies and service providers process and maintain different volumes of information with different degrees of sensitivity, there is no one-size-fits-all FISMA compliance checklist. Agencies and service providers must implement the applicable standards and guidelines in each step in order to implement an effective risk-based approach to manage information security risk.
1. Prepare
FISMA requires agencies and service providers to compile and maintain an inventory of their information systems and identify where systems interact with other systems or networks – including those not operated by or under the control of the agency or service provider. NIST SP 800-18 r1 provides guidance on developing system security plans and determining how to group information systems and their boundaries. Other relevant publications include:
NIST SP 800-39 – Managing Information Security Risk: Organization, Mission, and Information System View.
NIST SP 800-30 – Guide for Conducting Risk Assessments.
NIST SP 800-160, Volume 1 – Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems.
NISTIR 8062 – An Introduction to Privacy Engineering and Risk Management in Federal Systems.
The Guide for Conducting Risk Assessments is particularly relevant to FISMA compliance because a risk assessment is necessary to complete Steps 3 to 7. The Guide contains a repeatable yet flexible methodology for conducting risk assessments, and multiple tools and templates for assessment tasks such as identifying threat sources, determining adverse impacts (which is helpful for Step 2), and producing risk assessment reports.
2. Categorize
All covered information and information systems must be categorized according to the potential impact on an agency or service provider should certain events occur which jeopardize the information and information systems needed by the organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals. There are three security objectives in each impact category:
FIPS 199 provide the guidelines for the categorization of security objectives. Covered agencies and service providers need to be aware that the lowest impact in each security objective determines what the categorization is for each information set or system. For example, if a system scores “low impact” for confidentiality and integrity, but “high impact” for availability, the impact level for the whole information set or system would be high.
3. Select
The Select Step (often referred to as the “Security Plan”) requires covered entities to select, tailor, and document the controls implemented to protect information, information systems, and the organization from identified risks. The controls can consist of policies, procedures, or software, but all controls must have monitoring capabilities in order that covered entities can comply with Step 7 of the FISMA compliance requirements. Relevant publications include:
FIPS 200 – Minimum Security Requirements for Federal Information and Information Systems.
NIST SP 800-53 – Security and Privacy Controls for Information Systems and Organizations.
NIST SP 800-53B – Control Baselines for Information Systems and Organizations.
Covered entities are not required to implement every control – just those that are applicable to their operations and that meet the minimum security requirements. The documentation of the controls can – but do not have to – follow the guidelines in NIST SP 800-18 – Guide for Developing Security Plans for Federal Information Systems. However, the Guide includes further information about “boundary planning” (see Step 1) and a sample security plan template.
4. Implement
Although the Implement Step appears to imply the Step simply consists of activating the controls, there may be more to this Step if common organization-wide controls have compatibility issues and/or if a control fails to be effective in meeting the information security requirements. It may also be the case members of the workforce require training in order to support the organization’s FISMA compliance efforts. Relevant publications for Step 4 include:
NIST SP 800-34 – Contingency Planning Guide for Federal Information Systems.
NIST SP 800-61 – Computer Security Incident Handling Guide.
NIST SP 800-128 – Guide for Security-Focused Configuration Management of Information Systems.
5. Assess
The Assessment Step consists of developing plans of how the effectiveness of the controls is assessed, selecting assessors or assessment teams (depending on the size of the organization), and running assessments in controlled environments. If any remedial actions are required either at the Implement or the Assess Step, these must be documented and the Security Plan revised to account for any changes. Relevant publications for the Assess Step include:
NIST SP 800-53A – Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans.
NISTIR 8011 – Automation Support for Security Control Assessments: Multiple Volumes.
6. Authorize
The Authorize Step is also known as the Certification and Accreditation Step because, prior to the launch of the Federal Risk and Authorization Management Program (FedRAMP) in 2011, there was a NIST Guide covering the security certification and accreditation process. The Authorization Step is now standardized for all agencies and service providers so that, once a service provider is FedRAMP authorized, it is authorized for all agencies.
7. Monitor
Monitoring the effectiveness of information system security controls is a key part of FISMA compliance. It requires ongoing assessments of control effectiveness, analyses of monitoring activities (to ensure monitoring activities are effective), and processes to report or escalate security issues. Maintaining ongoing situational awareness about the security posture of the system supports risk management decisions in future risk assessments. Relevant publications include:
NIST SP 800-137 – Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations.
NIST SP 800-137A – Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment.
NISTIR 8212 – ISCMA: An Information Security Continuous Monitoring (ISCM) Program Assessment.
NISTIR 8011 – Automation Support for Security Control Assessments: Multiple Volumes.
NIST SP 800-53A – Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans.
FISMA Compliance vs FedRAMP Compliance vs CMMC Compliance
Since the passage of the Federal Information Security Management Act of 2002, further standards have been published to accommodate the increased adoption of the cloud by federal, state, and local government agencies, and the increased threats to highly sensitive government information. Two of the most significant set of standards to be published are FedRAMP and the Cybersecurity Maturity Model Certification framework (CMMC).
FedRAMP is very similar to FISMA inasmuch as the requirements for FedRAMP authorization closely mirror those for FISMA authorization. The difference between the two authorizations is that FISMA compliance applies to all technologies and systems, while FedRAMP compliance only applies to cloud services. In addition, FISMA authorization is agency specific, while a FedRAMP authorization for a service provider can be leveraged by multiple agencies.
The Cybersecurity Maturity Model Certification framework replaced the Defense Federal Acquisition Regulation Supplemental (DFARS) requirements in 2020 and applies to all service providers to the Department of Defense. CMMC compliance is based on NIST SP 800-171 and 800-172 depending on the level of access to Controlled Unclassified Information and the priority of the DoD program. You can read more about CMMC compliance in this article.
