The Federal Information Security Act (FISMA) was introduced in 2002 to ensure that all government vendors, contractors, and partners handle confidential and sensitive information appropriately, intending to provide protection against various security threats. Depending on the nature of your business, you’re going to need to reach specific levels of compliance to avoid FISMA fines, penalties, and consequences.
More specifically, FISMA compliance levels are governed by National Institute of Standards and Measurements (NIST) regulation NIST 800-171. In general, NIST 800-171 compliance for FISMA requires that contractors implement security controls and measures to guard against unwarranted cyber incidents and attacks. Contractors are required to take proper precautions in how they store, collect, and transmit various types of sensitive information such as engineering schematics, research data, and technical reports. Read more in our related article, NIST 800-171 Checklist: What You Need to Know.
As of December 31, 2017, FISMA mandates that any such Covered Defense Information (CDI) or Controlled Unclassified Information (CUI) be protected via one of the three following levels: Low, Medium, and High. Prime contractors and/or subcontractors must have both their data and information systems protected at the appropriate level, or risk losing current or future contracts.
But what exactly are the three main levels of FISMA compliance requirements? And what steps can you take to ensure that your security practices are up to par with the appropriate level for FISMA regulations and security policies? Read on to find out.
More on Security Objectives
Before diving into the specific compliance levels, let’s first examine the objectives and security standards of these levels as laid out by FISMA and NIST. FISMA defines three primary security objectives for information and information systems that handle CUI and CDI for all vendors, partners, or contractors:
- Confidentiality – “Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.” A loss of confidentiality is defined by FISMA as the unauthorized disclosure of information. Therefore, all compliance levels and FISMA regulations are geared toward keeping private information just that.
- Integrity – “Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.” A loss of integrity is defined as the unauthorized modification or destruction of information. As such, FISMA regulations and compliance levels have the goal of making sure that no external or internal parties are able to change or modify CDI or CUI.
- Availability – “Ensuring timely and reliable access to and use of information.” A loss of availability is the disruption of access to or use of information or an information system. Towards this end, FISMA compliance requirements and compliance levels are designed to ensure that all of your critical cybersecurity infrastructures is up and running, available, on online to ensure that hackers are kept out.
Depending on the nature of your business, you may need to work with your cybersecurity compliance partner to focus on specific areas that are most relevant to your particular situation in terms of cyber security risks. Hence, FISMA defines three levels of potential impact on organizations or individuals should there be a breach of security (i.e., a loss of confidentiality, integrity, or availability). The application of these definitions must take place within the context of each organization and the overall national interest of the government organization that the contractor is working with.
Below is a breakdown of each level of impact as defined by FISMA:
1. Low Impact
Certain types of CDI and CUI are designated as Low Impact by FISMA indicating that, if compromised, the overall adverse impact would be relatively low. The potential impact is Low if the loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
A limited adverse effect means that, for example, the loss of confidentiality, integrity, or availability might result in some of the following:
- Cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced
- Result in minor damage to organizational assets
- Result in a minor financial loss
- Result in minor harm to individuals
In determining with your compliance partner which systems and data are FISMA Low impact, the key word to remember is Limited. If certain types of information, even if compromised, would have a limited impact on Confidentiality, Integrity, or Availability, then compliance measures for those systems or data types need only to reach the Low compliance level.
➥ FISMA Definition: Information Type – A specific category of information (e.g., privacy, medical, proprietary, financial, investigative, contractor sensitive, security management), defined by an organization, or in some instances, by a specific law, Executive Order, directive, policy, or regulation.
2. Moderate Impact
The second level of FISMA compliance is Moderate, meaning that compromise would result in more serious consequences than those in the Low-level range. FISMA Moderate impact is defined as having a serious adverse impact on organizational operations, individuals, or government entities.
A serious adverse effect means that, for example, the loss of confidentiality, integrity, or availability might:
- Cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced
- Result in significant damage to organizational assets
- Result in a significant financial loss
- Result in significant harm to individuals that do not involve loss of life or serious life-threatening injuries
Moderate impact data and systems might include any number of CDI or CUI, such as process manuals or financial data. While the consequences of these types of data compromise can be quite significant, no serious real-world harm or loss of life results from Moderate level data being hacked.
➥ FISMA Definition: Information System – A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
3. High Impact
High impact data and systems are some of the most important and that a contractor or vendor can handle, and therefore are required to be protected at a High FISMA compliance level. High impact data, if compromised, could be expected to result in severe or catastrophic effects on organizational assets, government entities, or specific individuals.
A severe or catastrophic adverse effect is broadly defined by some of the following:
- Causing a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions
- Resulting in major damage to organizational assets
- Resulting in a major financial loss
- Resulting in severe or catastrophic harm to individuals involving loss of life or serious life-threatening injuries
One can only imagine some of the High impact information that would result in some of the above consequences. Information about military planning or access to critical power infrastructure, for example, could result in serious real-world harm and even loss of life in the most extreme of circumstances. Identifying potential High impact data and systems within your organization is a critical part of working with your compliance partner, and is the most important aspect when thinking about levels of FISMA compliance and cyber security standards.
Determining Compliance Levels
So how exactly do you know which data types and security systems fall into Low, Moderate, or High levels of impact and compliance? While it’s something that your compliance partner will help you in sorting through, you should still have a good idea of the overall categorization framework.
The compliance level of an information or data type can be associated with both user information and system information and can be applied to information in either electronic or non-electronic form. It can also be used as input in considering the appropriate security category of an information system. Establishing an appropriate security category of an information type essentially requires determining the potential impact for each security objective associated with the particular information type.
For example, an organization managing public information on its web server determines that there is no potential impact from a loss of confidentiality (i.e., confidentiality requirements are not applicable), a moderate potential impact from a loss of integrity, and a moderate potential impact from a loss of availability. Therefore, the overall compliance level for this specific data type would be classified as Moderate, but Low in terms of confidentiality.
On the other hand, let’s say a law enforcement organization manages extremely sensitive investigative information (i.e., sensitive data), determines that the potential impact from a loss of confidentiality is high, the potential impact from a loss of integrity is moderate, and the potential impact from a loss of availability is moderate. While the overall compliance level may be classified as Moderate for this data type, High-level confidentiality measures may need to be put in place to protect sensitive investigative files.
Conversely, determining the compliance level of an information system requires a slightly deeper analysis and audit, and must consider the security categories of all information types that reside in the information system. For an information system, the potential impact level assigned to the respective security objectives (confidentiality, integrity, availability) is determined by both the nature of the system as well as the sensitive data it contains.
For example, a contracting power plant contains a system controlling the distribution of electric power for a large military installation. The system contains both real-time sensor data and routine administrative information. The management at the power plant determines that for the sensor data being acquired by the system, there is no potential impact from a loss of confidentiality, a high potential impact from a loss of integrity, and a high potential impact from a loss of availability.
For administrative information being processed by the power plant system, there is a low potential impact from a loss of confidentiality, a low potential impact from a loss of integrity, and a low potential impact from a loss of availability. While the loss of data poses a low impact in multiple areas, the fact that the disruption of the system itself would cause serious harm to the military installation would likely render such a system as an overall High level of FISMA compliance.
➥ FISMA Definition: Security Controls – The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.
As you can probably tell by now, determining which FISMA compliance level each of your systems and data types fit into (along with what measures you should take for each of these security threats and vulnerabilities) can be quite complex. When determining FISMA security and compliance levels, expect to work with your partner to identify and secure the following key areas as mandated by NIST:
- Access Controls
- Awareness and Training
- Audit and Accountability
- Security Assessment and Authorization
- Configuration Management
- Contingency Planning
- Identification and Authentication
- Incident Response
- Media Protection
- Physical & Environmental Security
- Security Planning
- Personnel Security
- Risk Assessments
- System and Service Acquisition
- System and Communication Protection
- System and Information Integrity
- Program Management
➥ FISMA Definition: Security Categorization – The characterization of information or an information system based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information or information system would have on organizational operations, organizational assets, or individuals.
Whether you’re a Department of Defense (DoD) contractor that deals with life-or-death information of military operations, or a financial vendor that deals with sensitive financial information, FISMA mandates that both your systems and data be protected from security threats and vulnerabilities at the appropriate level of security categorization. Determining which level each system or date type fits into (Low, Medium, or High) will be a product of Confidentiality, Integrity, and Availability disruption in the event of a cyber incident or data security breach.
Low impact systems, if compromised, would result in a limited impact on your business, government agencies, or individuals. Moderate level data or systems can be expected to result in a more serious impact and process, while High-level compromise can (in some cases) result in significant real-world damage or even loss of life. That’s why it’s important to go through each and every area as mandated by FISMA, from your cloud storage to your physical file cabinets, to classify each and every system and data, categorize it in one of the three levels of FISMA compliance, and implement the proper safeguards and security policies in place to make sure that a data security breach never occurs in the first place.