Penalties for Non-Compliance with FISMA (and how to avoid them)

No organization takes cyber security and digital privacy as seriously as the U.S. Department of Defense. It’s why the Federal Information Security Management Act (FISMA) was implemented by the DoD, setting data security standards government partners and contractors. Vendors that fail to comply with FISMA could be in for stiff fines and penalties.

The primary reason that FISMA was conceptualized was to create a cyber security framework not just for protecting sensitive information held by the federal government, but for ensuring that same information is carefully guarded by third parties, vendors, contractors, or anyone else that deals with certain types of classified and/or sensitive information. This covers multiple types of information, as both Covered Defense Information (CDI) and Controlled Unclassified Information (CUI) are guarded and governed by FISMA.

More specifically, FISMA enforces standards on vendors and partners based upon the National Institute of Standards and Technology (NIST) and what they’ve developed. FISMA security requirements (under NIST) set specifications and minimum requirements for contractors and vendors that handle things like source codes, engineering specifications, research data, process sheets, data sets, and operational manuals.

And the penalties for non-compliance can be stiff, depending on your situation. But are you currently aware of how FISMA applies to your organization, and are you familiar with the potential consequences for not complying? Read on to learn about the potential penalties for FISMA non-compliance, and how you should work with a compliance partner to avoid them.

 

FISMA Compliance Basics

Before delving into both direct and indirect penalties of FISMA non-compliance, let’s first take a quick look at the areas covered by FISMA that most contractors and vendors need to know about. Specific FISMA requirements are generally divided into four areas:

1. Information System Inventory – Both federal agencies, as well as contractors, are required to keep an inventory of all information systems used within the organization. All integrations of information systems should be clearly defined. 
2. Risk Assessment – Partners and contractors are required to conduct an assessment for security risks and ensure that business critical and sensitive information (CDI and CUI) are given the highest level of security. 
3. System Security Plan and Controls – According to FISMA, agencies need to devise, follow and periodically audit a security plan, paying special attention to controls and security policies specified in NIST 800–53. 
4. Email Archiving –  Partners and vendors need to retain all electronic documentation in the event of a Freedom of Information Act request or potential legal procedure. Email archiving technology must ensure FISMA archiving compliance requirements.

 

Assess your FISMA compliance

 

Within these four areas, there are actually 14 specific FISMA requirements that vendors, partners, and contractors need to address:

 

• Access Controls – Who controls access to digital and physical information?

• Awareness & Training – Is your staff being trained on FISMA compliant practices?

• Audit & Accountability – Do you conduct regular self-audits to ensure compliance?

• Configuration Management – Is your system configuration optimized to keep hackers out?

• Identification & Authentication – Do you have things like email encryption and multifactor authentication?

• Incident Response – Do you have an incident response plan in the event of a hack?

• Maintenance – Are you performing regular system maintenance to ensure continued compliance?

• Media Protection – Are all media devices (thumb drives, etc.) properly protected and stored?

• Physical Protection – Are things like file cabinets that contain CUI/CDI properly secured.

• Personnel Security – Do only the authorized personnel have access to the most sensitive or personal data?

• Risk Assessments – Are you performing regular risk assessments with a compliance partner?

• Security Assessment – Are you assessing the security of your internal IT infrastructure and processes regularly?

• System & Communications Protection – Do you have adequate safeguards around your systems and communication channels to prevent breaches.

• System & Information Integrity – Is your system data correct and uncorrupted at any given time?

Some of these areas will affect your business more than others, so it’s important to work with a FISMA/NIST compliance partner for extra guidance to make sure all the appropriate bases are covered, and you’re able to avoid the following direct (and some indirect) penalties and consequences for non-compliance.

 

1. Direct – Loss of Federal Funding

One of the biggest penalties that contractors face in the event of non-compliance is the complete loss of federal funding. For many vendors, part of the relationship with their government clients or customers is some level of federal funding to enhance their efforts. Typically these are companies are in industries such as defense, information technology, healthcare, industrial manufacturing, and energy.

Depending on your business or organization, the loss of federal funding can be anywhere between a drop in the bucket to a large chunk of cash. Therefore, you’ll want to work with your compliance partner and do everything in your power to avoid issues that could result in the withdrawal of federal funding. Here are some of the main areas and activities that you should consider with your partner:

 

• Consultation & Gap Analysis – Assess the current compliance status and scope of CUI exposure and potential liability. Findings usually encompass security posture, verification of current security policies and procedures to safeguard CUI, and a detailed roadmap on recommended measures for FISMA compliance.
  
• Vulnerability Assessment – Identifies, quantifies and prioritizes all potential hazards that might affect your physical and digital protections. Helps spot gaps in your systems that might be FISMA non-compliant. 
• IT Infrastructure Assessment – A regular review of your organization’s existing IT infrastructure helps you identify opportunities for improvement, allowing for more informed technology decisions.that will be in compliance with FISMA. 
• Penetration Testing – Simulation of real-world attacks to assess external applications, networks, and mobile applications vulnerabilities. Network level penetration tests reveal system vulnerabilities that can be easily exploited by real-world attackers. Pen testing helps uncover vulnerabilities that are potentially non-compliant so that they can be proactively addressed.

At the end of the day, it’s your responsibility that anywhere CDI or CUI is stored (digitally or physically) needs to up to FISMA standards to avoid the plug potentially being pulled on your federal funding.

 

2. Indirect – Poor Cybersecurity Infrastructure

NIST and FISMA haven’t pulled their cybersecurity standards out of thin are, nor have they introduced them to make the lives of vendors and contractors more difficult. FISMA standards exist because organization who adopt and abide by those standards are far more likely to have a strong cybersecurity infrastructure, and be less susceptible to a data breach. Ignoring FISMA standards or taking a lax “business as usual” approach as it relates to compliance might not result in an audit or violation found, but your overall protections won’t be as good as those laid out in FISMA.

Here are some of the areas where negative consequences often result within organizations that don’t take the time and effort to ensure that their cybersecurity infrastructure is FISMA compliant (at a minimum):

 

• Identification – You constantly need to identify where (and how) your CDI and CUI are vulnerable. All sensitive information that needs to be protected should be identified and documented. Failure to be FISMA compliant, and not proactively identify vulnerabilities and threats, will make you a prime target for cybercriminals.

• Protection – You’ll need to draft and implement appropriate safeguards that will ensure the delivery of critical services in the event of a cyber attack. This helps to limit the potential disruption of a data breach and allow core activities to continue as planned. Failure to have a FISMA compliant protection plan will leave you confused and scrambling in the event of a breach.

• Detection – Your IT security team must put in place tools and processes that will allow the organization to rapidly detect and identify a cyber attack. This involves the deployment of monitoring tools that can alert staff should an anomalous event take place or unusual network activity be noticed. Vendors that aren’t up to FISMA level detection standards often fail to cyber attackers until well after the attack was initiated.

• Response – Your company should develop a thorough list of steps to be carried out in the event of a cybersecurity incident to minimize the impact on the business and other stakeholders. If you don’t have a FISMA compliant response plan, you’re betting on the fact that your staff will automatically know what to do. You’re better off having a concrete, detailed response plan that’s up to FISMA snuff.

• Recovery – Develop and implement appropriate measures to ensure the organization can return to normal operations as quickly as possible following an incident. A FISMA compliant recovery plan will minimize the damage and loss of data in the event of an attack. Otherwise, you’ll be running the risk of complete data loss with insufficient backup and recovery measures.

Having a poor cybersecurity infrastructure and not following the FISMA regulations are some of the biggest indirect consequences of being FISMA non-compliant. Make sure to work with your FISMA compliance partner to assess all the above areas, and implement the most effective measures possible.

 

3. Direct – Potential Government Hearings

Depending on the the nature of the cyber incident, contractors and vendors may be subject to being called for government hears to further determine the scope of the damage, and assess whether or not your organization was FISMA compliant prior to the hack. Especially if you’re dealing with potential theft or exposure of CUI/CDI involving defense and national security contracts.

Being called for a government hearing because your cybersecurity measures weren’t FISMA compliant is just the start of what can turn into a painful and lengthy process. Nevermind the time and money it costs to have some of your critical personnel take time out of the office and travel to Washington D.C. If you work with a compliance partner and are assured that your security measures satisfy FISMA, you’ll be far less likely to have to hop on an airplane and answer questions in front of a committee.

 

4. Indirect – Reputational Damage

It goes without saying that any well-publicized cyber breach can be of great damage to any company’s reputation. For vendors and contractors who experience one and are then found to be non-compliance with the FISMA framework, the damage can be practically fatal. Even if you’re not censured from future contracts (we’ll get into that below) rest-assured that future contracts won’t come without additional assurances from (and scrutiny of) your organization’s cybersecurity practices. This, in addition to your reputational damage to potential future customers and clients in the private sector. Don’t run the risk of your company’s brand getting tarnished, and implement FISMA-level security measures as soon as possible.

 

5. Direct – Censure from Future Contracts

Finally, the biggest penalty that federal government agencies can levy on companies that aren’t FISMA compliant is the censure from all future government contracts. Effectively, you security breach and compliance violations were so severe that you’re banned from receiving any future government contracts. While this happens in only the most severe of cases (usually a high-profile breach where highly sensitive CDI or CUI was compromised and there are major security risks present), for many vendors that rely on government contracts as the life-blood of their business, this step can prove ultimately devastating.

 

Closing Thoughts

By now you should be familiar with what are FISMA and NIST, the basics of why FISMA compliance is so important, and the penalties for non-compliance. Again, FISMA and NIST aren’t setting compliance standards just to make life difficult for vendors and contractors, but rather are taking proper precautions in making sure partners who deal with CDI and CUI are adequately protecting that critical information.

Failure to abide by the FISMA regulations can result in any number of adverse consequences. You may be stripped of federal funding, or be barred from receiving future federal contracts. You may even be called to Washington D.C. to testify on what went wrong. You’ll be leaving yourself vulnerable with a less-than-optimal cybersecurity infrastructure, not to mention the reputational damage that will likely take place if you have a cyber breach that’s directly (or even indirectly) the result of FISMA non-compliance. All the more reason to make sure you work with a qualified NIST compliance expert like RSI Security to perform activities like gap analysis, vulnerability scans, penetration tests, and email encryption implementation guidance. By investing in modern cyber security solutions, you’ll put yourself in the position to avoid all FISMA penalties now and into the future.