High-profile data breaches are relatively common in today’s digital society. A Clark School study at the University of Maryland revealed that there is a hacker attack every 39 seconds. A separate study by Juniper Research further added that the average cost of a data breach will exceed $150 million by the end of 2020.
The massive uptick can be attributed to cybercrime being more profitable than the overall drug trade industry. A report by Europol Serious & Organized Threat Assessment indicated that the overall worldwide impact of cybercrime rose to $3 trillion in 2013 and will continue to grow with the evolvement of innovative hacking techniques.
In most cases, cybercriminals target organizations with a high level of personally identifying information available at their disposal. Forrester reported that roughly 95 percent of breached records in 2016 came from only three industries: Technology, Retail, and Government.
The U.S. federal government gathers extensive amounts of data every minute, some of which it distributes to contractors and agencies that perform many of its functions. Subsequently, those agencies are legally required to ensure the security and safety of that data to prevent its exposure to theft or loss.
The Federal Information Security Management Act (FISMA) is the law that oversees those data security efforts. Passed in 2002, FISMA requires federal agencies to document, develop, and implement an information protection and security program to minimize the risk of losing national data while managing federal spending on information security.
FISMA has also developed a set of security guidelines and standards that federal agencies have to meet to achieve these goals. The scope of FISMA has been extended as well to accommodate state agencies administering federal programs. Private businesses that are involved in a contractual agreement with the government are also required to obtain FISMA compliance.
Technically, organizations that work with federally-generated information are providing security for information on behalf of the U.S. government. Failing to keep it safe could put the whole nation at risk of damage caused by various threats.
On the business side of things, FISMA can also bring a myriad of advantages. Federal agreements can be both long-termed and lucrative, which means that organizations that accomplish and stay in FISMA compliance are more likely to sustain those contracts over time.
The National Institute of Standards and Technology (NIST) assumes a critical part of the FISMA Implementation Project, which was launched in 2003. NIST gathers the rules and regulations that stem from federal laws and engenders the practices and processes that federal agencies use to implement those regulations. In some cases, the Office of Management and Budget (OMB) enforces these processes through its Circular A-130, which requires contractors to adhere to the following metrics:
- Create a comprehensive plan to maintain the safety and security of data
- Designate appropriate officials to supervise and manage the plan
- Perform extensive review of the agency’s security plan regularly
- Allow processing essential and relevant information before starting the operations
NIST has also developed the Risk Management Framework to be an essential element in the information security program of an agency by guiding the selection of security controls that will safeguard the assets, operations, and individuals associated with the government.
Nevertheless, the FISMA compliance process is unique to the adopting entity. Organizations that follow these required FISMA standards can define the scope of their security efforts while employing best practices, which increases the chances of achieving their desired security goals.
The primary FISMA requirements include the following:
Information System Inventory
Every contractor or federal agency working with the government are required to keep an inventory of all the information systems used within the organization. The information system inventory details all the integration paths that link the various aspects of the network to each other and separate entities.
The initial step to keeping an inventory of all information systems is to recognize what constitutes the information network in question. NIST provides guidance on determining system boundaries on their SP 800-18 Revision 1 paper, which will be used by an expert at RSI Security to help determine the information networks at the business’ disposal.
Organizations should classify their data and information systems in order of risk to guarantee that confidential data and the systems that use it are given the highest level of security. NIST has also published standards for the categorization of federal information systems to help agencies address specific kinds of risks with right and secured practices.
The initially required security standard by FISMA legislation, which is the FIPS 199, provides the definitions of security categories. The FIPS 199 system categorization is also the high water mark for the impact rate of any of the criteria for data types resident in a system.
System Security Plan
Among the FISMA compliance requirements include the need for organizations to develop a security plan that is kept up to date and maintained. The program should consist of specific things like the security policies, security controls within the agency, and a timetable for the introduction of further restrictions.
Each control listing should include a detailed description as well, which would enable the system owner or an auditor to verify its effectiveness. The System security plan will also indicate essential information about the system, which includes the system owner and the name of the system.
System security plans should indicate that the procedures in place and the designated people who outline and follow upon planned security controls. The security plan is also a significant input to the security accreditation and certification process for the system.
During the accreditation and security process, the system security plan is evaluated, updated, and accepted. The certification agent adjacently verifies the security controls described in the policy to ensure its consistency with the FIPS 199 security category.
For FISMA compliance, organizations are required to meet the minimum security requirements by choosing the appropriate security controls and assurance requirements as outlined on NIST SP 800-53. While FISMA does not require an organization to implement every single command, it is necessary to employ the controls that are relevant to its operations and systems.
However, agencies have the choice to apply the baseline security controls in adherence to the tailoring guidance provided by SP 800-53. This enables organizations to adjust their security controls to fit their operational environments and mission requirements. The process of choosing the right security controls and assurance requirements for organizational information systems is designed to achieve sufficient security.
NIST guidelines indicate that risk assessments should be three-tiered to pinpoint security risks at the business process, information system, and organizational levels. The risk assessment process confirms the security control set and examines if any additional controls are needed to protect agency assets, individuals, agency operations, or the nation.
The resulting set of security controls establishes a degree of security due diligence for federal agencies and contractors. Initially, a risk assessment begins by pinpointing potential vulnerabilities or threats, and mapping implemented controls to individual risks.
An expert from RSI Security will subsequently identify risk by estimating the impact and likelihood that every threat could be exploited. The end of the risk assessment process will indicate the estimated risk for all vulnerabilities and outlines whether the risk should be accepted or mitigated.
Additional security controls should be added to the system if the implementation of the plugin mitigates the risk. NIST has also developed the Security Content Automation Protocol (SCAP) and the Information Security Automation Program (ISAP), which support and complement the approach for ensuring continuous, cost-efficient security control assessments.
Certification and Accreditation
Agencies and organizations can achieve FISMA Certification and Accreditation after completing a four-phased process that includes planning and initiation, accreditation, certification, and continuous monitoring. Usually, the system controls are reviewed and certified to ensure proper function right after the completion of system documentation and risk assessment.
The information system will only be accredited once it is verified to have adhered to the regulations set on the NIST SP 800-37. The security accreditation is the official management decision given to an organization or agency official to authorize the operation of an information system.
Security accreditation also provides a form of quality control. It encourages business leaders and technical staff at different levels to employ the most effective security controls in an information system. The data and supporting evidence required for security accreditation is established during a comprehensive review of a security system, which is also known as security certification.
Security certification is an all-encyclopedic evaluation of the operational, technical, and management security controls in an operating system. The results gathered from a security certification is used to re-evaluate threats and update the system security plan. In short, the results will provide a factual basis for authorizing officials to make a security accreditation decision.
All accredited information systems are also required to track a chosen set of security controls while ensuring that the system documentation details all the modifications and changes to the network. Massive changes to the security profile of the system should kick-off an updated risk assessment and may also require re-certification.
Constant monitoring activities include continuous evaluation of security controls, status reporting, impact analyses of system changes, and configuration management. The organization sets the selection metrics and chooses a subset of the security controls implemented within the information system for assessment.
The organization also must establish a schedule for control monitoring to ensure sufficient coverage is accomplished. Besides the requirements above, here are some of the best practices on how to be FISMA compliant.
- Start by categorizing information that needs protection at a granular level. Beginning at the most basic level enables the organization to develop security layers up as they add measures related to subsequent layers.
- Determine the right baseline controls that will provide the necessary standard of security
- Use a risk assessment process to adjust the security controls based on how your organization, uses, stores manages or distributes specific data.
- Document controls as they evolve and recognize the options selected throughout the process to have a guide that can be used to explain and clarify the control-selection process.
- Apply controls throughout the system and re-evaluate the agency-level data risks that do not appear at the primary level.
- Implement tracking practices to maintain vigilance over the information security system as it communicates with contractors, workers, and other organizations.
FISMA-accredited information systems are also defined based on their impacts. Part of the criteria include:
- Low-Impact Systems. These are systems that can endure being comprised and would only have little consequences to the organization or individuals.
- Moderate Systems. These systems usually cannot survive security breaches. Attacks on modest systems can bring severe and adverse effects to the assets, individuals, and operations of the organization.
- High-Impact Systems. These systems are least resistant to withstanding a breach in security. A leak of high-impact information systems may lead to catastrophic damages that could mean significant financial losses, intellectual property damages, or physical damages to individuals.
Benefits of FISMA Compliance
FISMA compliance can increase the security of confidential federal data. Constant tracking for compliance gives organizations with the data they need to promote a high level of protection and eradicate vulnerabilities in a cost-efficient manner.
Organizations operating in the private sector can benefit from FISMA compliance, as well. Adhering to FISMA compliance requirements ensures that private companies are covering many of the security best practices that are standardized within their specific industry.
Associated private companies or government agencies that are unable to comply with FISMA compliance requirements may suffer several penalties. Potential penalties include reputational damage, a reduction in federal funding, or even an objection by congress.
Achieving FISMA compliance increases the organization’s ability to protect the private data of citizens and minimizes IT-related costs to the federal government. Moreover, the concrete advantages that are connected with being FISMA compliant extend far beyond achieving regulatory compliance.
It ensures that organizations are more aware of the evolving security risks they face in the evolving business environment. Start your journey towards FISMA compliance and get in touch with an expert at RSI Security today.