Maintaining compliance with the Federal Information Security Management Act (FISMA) is essential for government agencies or private contractors that deal with those agencies. Since its formal adoption in 2003, FISMA has helped safeguard critical systems and information. Although FISMA compliance is mandatory for some, it carries with it a number of tangible benefits. In this article, we’ll break down what FISMA is, what the requirements of FISMA are, FISMA standards, and what benefits compliance with FISMA brings for covered entities. This information can help inform organizational decisions regarding whether obtaining, or maintaining, FISMA compliance can be beneficial to your organization and its cybersecurity solutions.
What is FISMA?
In order to understand the benefits associated with FISMA compliance services, it is first helpful to have some basic knowledge about what FISMA is. FISMA became public law as part of the E-Government Act of 2002, and was formally adopted December 2002. Since it’s introduction, FISMA has undergone significant changes that culminated in the adoption of FISMA 2014. At the core of FISMA was the requirement for federal agencies to adopt a comprehensive information security plan. This was centered around a risk-management based approach to cybersecurity, which is embodied by the Risk Management Framework developed by the National Institute of Standards and Technology (NIST). Gaining a better understanding of the benefits associated with becoming fisma compliant requires understanding how adopting a risk-based approach to your cybersecurity implementation can help your organization.
The passage of FISMA represented a sea change for federal agencies. The updated requirements embedded in FISMA 2014 further reinforced the ability of FISMA to help agencies achieve a cybersecurity posture commensurate with their risk levels. In order to ensure that FISMA requirements are clearly understood there are a number of publications that, taken together, embody the FISMA regulatory requirements. These FISMA publications are developed by NIST, and can be found on their publications site.
The publications that form the body of FISMA regulations covered entities must adhere to include Federal Information Processing Standards (FIPS) 199 and 200, as well as NIST publications 800-59, 800-60, 800-137, 800-18. Further security guidance is provided in NIST publications 800-37, 800-39, 800-171, 800-171A, 800-53A, and the NIST interagency report 8011. While this may seem like a daunting list, many of the security requirements outlined in these documents will be familiar for organizations that have already achieved NIST compliance. For those that aren’t familiar with NIST standards and requirements, we’ll break down a broad overview of FISMA requirements.
FISMA Compliance Requirements
FISMA 2002 introduced a wide variety of requirements for federal agencies and associated support entities. Many of these requirements were carried over into FISMA 2014, with one substantial difference being that the Department of Homeland Security was given responsibility to oversee the implementation of FISMA requirements. DHS was also tasked with operational oversight of the federal information security incident center, and was granted the authority to conduct security and vulnerability assessments of entities covered by FISMA. Under FISMA 2014, DHS has the authority to regularly conduct a fisma compliance audit to ensure that covered entities are complying with FISMA requirements. Alongside DHS, both the Office of Management and Budget retained oversight responsibilities for FISMA implementation, and remains deeply involved in the continuing implementation of the security management requirement.
While FISMA 2014 introduced a number of changes to the complex system of agencies in charge of oversight and implementation, it carried over many of the same requirements that existed from FISMA 2002. A brief outline of these requirements sheds light onto the way that FISMA brought about substantial change, and modernization, to the way that federal agencies handled securing assets, systems, and information from cyber threats.
The first and most notable requirement embedded in FISMA was that each federal agency and associated contractor must develop an information security program that was centered around risk management. The first step in this program is adequately quantifying the risk facing an organization. This requires careful analysis of information and systems to determine the impact of unwanted access to, or destruction of, secured information. Once a comprehensive analysis of all information and assets has been completed, the agency must then develop and implement security policies and procedures designed to adequately minimize the security risks of a harmful event.
In addition to adopting and crafting a risk-management centered approach to information security, federal agencies are also required to maintain an ongoing training program mean to promote information security awareness. This fisma compliance training is centered around providing employees a clear picture of their responsibilities regarding information security, with enhanced security training for individuals directly involved in maintaining the information security program. As part of ongoing FISMA requirements, agencies must also develop a comprehensive plan to continually monitor and assess their information security implementation. At a minimum this assessment is required to occur annually, but the frequency of a security assessment is commensurate with the risk that an agency or entity faces from cyber threats.
FISMA also carries with it requirements for agencies and contractors to develop a program to remediate discovered vulnerabilities. In addition to this, FISMA carries with it strict reporting requirements in the event of an incident. Should an incident occur, agencies and contractors must have an incident detection and response plan in place.
As the brief outline above illustrates, the FISMA compliance requirements as a whole represent industry accepted best practices for understanding the risk that faces an organization and developing procedures and protocols to minimize that risk to acceptable levels. Each agency or entity under the umbrella of FISMA is empowered to develop their own information security program, with their unique operational requirements, organizational structure, and desired level of exposure in mind.
Are There Benefits to FISMA Compliance?
The dizzying array of regulatory bodies in any number of industries can quickly lead to fatigue and a fatalistic attitude towards compliance. Regulatory compliance is often viewed as a necessary burden which diverts time and resources from achieving operational or business objectives. FISMA compliance should not be viewed in this light. Rather, compliance with FISMA yields a number of important benefits that ultimately translate into a heightened readiness for current and emerging cyber threats. Let’s look at a couple of the key strengths that FISMA compliance brings.
Risk-Management Centered Approach
The core of FISMA is the development and implementation of a risk-management centered approach to information security. In today’s world, risk is ever increasing as new devices and applications, many of them on personal devices, are being incorporated into daily operations. Yet, despite the rising risks of successful cyber attacks, many companies continue to approach cybersecurity from a static perspective. The idea has been to continually bolster an information security program across the board, rather than making targeted improvements to security based on present or future risk. The asymmetrical nature of cyberattacks all but guarantees that eventually a persistent and motivated attacker will succeed against valuable, and protected, targets.
While continually expanding existing information security programs can be beneficial, few organizations have the resources available for this approach. FISMA itself charges agencies with adopting a “cost-effective” information security program that is adequate to reduce risk to acceptable levels. A risk-management centered approach to cybersecurity differs substantially from a risk-aversion approach. Using the FISMA model, organizations must accept that they face a constant threat, and must make operational decisions regarding their appetite for risk. This approach incorporates cybersecurity considerations into organization-wide operational decisions, as management and leadership must allocate resources according to their operational goals. By approaching cybersecurity from a risk-management perspective, organizations create the framework for a long-lasting information security program that is flexible enough to adapt to threats that an organization currently faces, as well as threats that they face in the future.
Continual Monitoring and Assessment
Businesses and organizations face a vastly different threat landscape than they have in the past. Today’s modern cyber-threat landscape is characterized by a wide array of threats and threat actors, including advanced persistent threats. Adequately addressing these threats requires modern organizations to adopt a continual process for assessing their current cybersecurity implementation and improving on it over time. FISMA compliance requires that federal agencies and attached organizations develop and implement an information security program that incorporates regular monitoring, scanning, and updating of cyber security policies and procedures.
The advantages of developing a program for continuous monitoring and updating of an information security program are numerous. The majority of successful attacks take place against system vulnerabilities resulting from outdated software or firmware. Implementing a continual program for monitoring your systems and assets includes developing a robust patch management system. Regular monitoring and scanning will highlight system vulnerabilities before a successful attack can be mounted, while also informing ongoing operational decisions regarding the allocation of resources to meet changing threats that an organization faces.
Training and Organizational Awareness
One of the most common avenues for successful cyber attacks is through an organization’s human assets. In fact, between 75% and 95% of threats an organization faces are linked directly to employees that lack adequate knowledge and awareness of cyber threats. Many employees simply lack an awareness of the critical role that cybersecurity plays in any modern organization. They may not understand how their actions can allow threat actors to gain access to protected systems and information. FISMA addresses this inadequacy by requiring federal agencies and attached organizations to develop and implement an ongoing information security training program.
Creating a comprehensive cybersecurity training program is essential not only for entities that are covered by FISMA, but also any modern organization. Many employees don’t have the knowledge base to keep abreast of constantly changing threats, and may not have a clear understanding of how their actions can result in harmful cyber security incidents. With many of today’s threat actors seeking out access to protected information, promoting a culture of protecting that information from the bottom-up is necessary. Implementing an ongoing information security training program also creates an organizational culture and posture with cybersecurity as a central concern. This is beneficial for any organization moving forward, particularly as the threats facing organizations become more sophisticated and attacks become more numerous.
Incident Response and Remediation
While many organizations have some form of a information security program, these programs are primarily centered around stopping an attack from ever happening. While this important, equally important is creating a system for dealing with a successful attack when it occurs. FISMA explicitly requires organizations to develop and implement an incident response program. The reason for this is simple. Detection and mitigation techniques can have a large impact on the severity of the impact should a successful attack occur.
Incident response teams provide a number of services that add value to any organization, and are an essential part of a comprehensive cybersecurity program. The goal of an incident response team is to identify when a breach has occurred, contain the breach, assess the impact of the breach, identify and address vulnerabilities that led to the breach, and determine the extent of harm resulting from the breach. A rapid response to a breach can limit the scope of impact and harm to an organization that results from the breach, while also allowing an organization to quickly address the vulnerability that led to a breach in the first place. Developing and implementing an incident response plan consequently makes organizations more resilient towards cyber threats.
The tangible benefits that are associated with adopting the FISMA cybersecurity framework extend far beyond simply achieving regulatory compliance. While attaining FISMA compliance can bring monetary benefits, such as enabling private sector contractors to conduct business with federal agencies, the regulatory requirements outlined in FISMA represent industry accepted best-practices for developing a comprehensive information security program. By adopting the framework outlined in FISMA, organizations are more aware of the security risks they face, more prepared to address those risks, and more resilient in the event of a breach. If your organization is considering attaining FISMA compliance but isn’t sure where to start, contact RSI Security today to request a consultation and learn about FISMA services offered,
 Shane Palmer, Information Security Across Federal Agencies?: Analysis of Adequacy and Effectiveness, American Political, Economic, and Security Issues (New York: Nova Science Publishers, Inc, 2016), 8-10.
 Nate Fick, James Lam, and Shelley Leibowitz, “More Is Not Always Better: A Value-Based Approach to Cyber-Risk Oversight.,” NACD Directorship, April 3, 2018, 46-49.
 Jodi Goode et al., “Expert Assessment of Organizational Cybersecurity Programs and Development of Vignettes to Measure Cybersecurity Countermeasures Awareness.,” Online Journal of Applied Knowledge Management 6, no. 1 (January 2018): 67–69.
 Leighton Johnson, Computer Incident Response and Forensics Team Management?: Conducting a Successful Incident Response(Rockland: Syngress, 2014), 18-19.