In 2002, the internet was ten years old but still in many ways was in its nascent stages. However, its growth had spurred the dissemination and sharing of information at a torrid rate. At the turn of the century, the term “cybersecurity” had yet to become part of the mainstream lexicon. Despite the lack of sophistication in the early days of the internet, the government realized the potential risk that digital information could pose in the wrong hands.
FISMA, standing for Federal Information Security Management Act, was the first act by the government to address the potential threat of information security to the country and was put into place in December, 2002. Information security is defined by FISMA as “Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.” FISMA explicitly underscored the need for a “risk-based policy for cost-effective security.”
The act required that all federal agencies research and put into place a plan to protect their sensitive information as well as the information systems themselves. In 2008, in compliance with FISMA, audit agencies spent $6.2 billion to secure government systems. Today, not only must all government agencies pass a FISMA audit, but state agencies that oversee federal programs and any private businesses that have government contracts are required as well.
If you have ever had any questions or concerns about FISMA audit, you have come to the right place. In this article, we will cover everything FISMA, from requirements to tips on how to pass your next security and performance audit. For more information or expert help on how to navigate FISMA audits, RSI Security is a leader in the cybersecurity industry and can assist you. Schedule a free consultation today.
What Is A FISMA Audit?
The FISMA audit program ensures that government agencies, as well as private agencies with government affiliations or contracts, properly secure and store sensitive data. FISMA also requires that the information systems utilized by these organizations are equally protected and monitored.
Who Needs A FISMA Audit?
Since FISMA audits are designed to protect information relating to government, obviously, if you are a government agency you know you need to be FISMA compliant. However, if you are a private business that has a government contract, manages information on the government’s behalf or maintains close relationships with any government agency, you may also be required to pass a FISMA audit. RSI Security can help determine if a FISMA audit is necessary for you.
FISMA Audit Requirements:
The FISMA audit program was devised in large part by the National Institute of Standards and Technology (NIST). NIST’s standards have gone through many iterations starting with FIPS 199 in February 2004 to SP 800-160, which was published two years ago. Each new set of cyber security standards was designed to best protect information and information systems from infiltration. Those security standards were used to create the FISMA audit requirements, which are incredibly far-ranging. On the bright side, FISMA doesn’t require every organization to follow every requirement, just the ones relevant to them. Nevertheless, there are general requirements and so here are the FISMA audit requirements, also known as the FISMA standards, by category.
- Information System Catalog: All FISMA compliant agencies must create and maintain a catalog of every information system used by said agency. By keeping an inventory all of information, agencies can better track, secure and transmit information within their system. The agencies must also analyze and categorize any integrations between various information systems inside of their network. Integrations in information systems are often weak points, used by hackers to infiltrate systems, which is why they must be identified and secured.
- Risk Management: In the eyes of the government, not all information is created equal, unlike people. Agencies undergoing FISMA audits must create a risk management profile for their information and information systems. Each must be given a security priority, the more sensitive the information, the higher the security protecting it. FISMA audit programs determine the range of priorities which the agencies can categorize their sensitive information.
- Security Integrity: Every vault has a set of security plans, outlining key points of interest and potential weaknesses. By possessing sensitive government information, businesses put themselves in a position similar to a vault. Businesses aren’t holding hordes of cash but equally valuable information. FISMA requires that business create a plan similar to a vault, which sets forth how said information will be properly protected. The plan must detail security policies, controls and contingency plans in case of a breach. There also must be a timeline for implementation for continued security enhancements.
- Security Implements: The catalog for FISMA security controls is extremely extensive. If you are interested in seeing the entire list, NIST SP-53 has the entire list of suggestions. Thankfully, not all of the security controls are required. Instead, agencies must pick and choose which security controls are relevant to their particular system. Once an institution has chosen the security controls befitting their situation, they must put them into place and document them in their security plan. That security plan is then checked by FISMA audits for approval.
- Risk Assessments: A security plan may be perfectly planned and executed. However, if the system is not tested and checked for potential loopholes, gaps may begin to form. FISMA audits require, not only, continual tests but risk assessments at every level of the organization. Every level of the organization means not only where the sensitive information is kept, but anywhere data is kept. You never know where hackers may find a back door, hence the importance of having a risk assessment in place.
- Checks And Balances: Similar to risk assessments, FISMA expects organizations to perform security reviews each year. It may feel redundant to require continual risk assessments, on all level of the organization and annual reviews. Unfortunately, that is how effective security works: layer upon layer of checks and redundancies to ensure safety. These annual assessments have a four-phased approach: initiation & planning, certification, accreditation, and continuous monitoring. Without an annual certification and accreditation organizations run the risk of losing their FISMA compliance. Learn more in our related blog post where we discuss how often you should audit your cyber security.
Benefits Of FISMA Compliance:
FISMA’s role, despite its wide-ranging requirements, is the security of information. Since its inception, FISMA compliance requirements have helped improve both baseline and high-level security across government agencies. Yet, even if you aren’t a government agency there are benefits to passing a FISMA audit.
- Improved Security: As we just touched on, FISMA was the tide that rose all boats when it comes to security. Prior to FISMA, the baseline level of security for the nation was deplorable. Now, the United States has one of the most secure networks of government agencies in the world. By becoming FISMA compliant, business improve their own security and become a part of a trusted network.
- Consistency: Originally, FISMA was developed only for agencies of the Federal government. But, as the need to safeguard more and more information grew, state departments and the private sector began to come into the fold. Then, as information pertinent to the Federal government spread to state departments and government contracts with private business became more common, FISMA’s purview spread beyond the Federal government. By falling under the FISMA’s umbrella the other sectors have found advantages like improved security and uniformity with other agencies.
- Vetting: For many businesses in the private sector FISMA audits are an opportunity to prove themselves as worthy of sensitive information. Sure, the audit process may come with some difficulties. However, the business advantages of having federal agencies see your business “FISMA approved” have proven worthwhile. Lastly, having a federal agency looking over your security protocols can help you sleep easy, knowing you’ve done everything to keep your valuable information secure.
Penalties For Non-Compliance:
The penalties for FISMA audit non-compliance depend on who is failing the auditing. For a government agency to post a low FISMA score, the penalties are likely to be censure and a public rebuke. That may not sound like much, but undoubtedly, the jobs of many people in said agency would be at risk.
For a state department to do poorly on a FISMA audit, the consequences are more varied. First, their relationship with the federal government will come into question, as a failing FISMA score puts their reliability in doubt. The Federal government may cut funding and publicly chastise them if they fail to fix the issues.
Lastly, if a private business loses FISMA certification, it may be the most damaging. Naturally, the business’s reputation is hurt, just like the state department’s. Not passing a FISMA audit proves the business in question isn’t taking the proper steps to ensure the security of their customer’s information. It also damages the relationship between business and government. If the business can’t remedy the FISMA score, the Feds have no choice but to cut funding or move on altogether. For many businesses the government is their biggest contract and helps them to find other business. Regardless of the case, penalties like the these can destroy organizations for years and many times the trust is never regained.
Tips On Passing The FISMA Audit Program:
FISMA audits can be complex and complicated but that doesn’t mean they are impossible. RSI Security has been helping all types of businesses with their FISMA audits for years. Here are our tips for passing FISMA with flying colors.
Data, Data, Data:
Yes, the FISMA audit is about more than just the data. According to the standards, information systems are just as important as the data itself. And while that notion bears some credence, the fact of the matter is data is the key. Prioritize your most valuable data and then the most valuable data of the companies you work with. By creating systems and qualified people around that high priority data, you’ll be aligning yourselves with FISMA best practices. It is also the most cost-efficient means to build a risk-oriented strategy.
Hire A Point Data Man or Woman:
Securing data for a company big or small is no easy feat. That is why FISMA audits require that agencies appoint an employee to head the information security for an entire company. The standards state accountability for information safety must go all the way to the top. However, that doesn’t mean the CEO must do it. What it means is that there absolutely must be one person who oversees all information security affairs, protocols and security management without any conflicts of interest due to other responsibilities. We recommend a relatively high ranking employee. DO NOT relegate this responsibility to a lowly network administrator. That will not go over well.
Paperwork, Paperwork, Paperwork:
Regardless of industry, no one wants to do or even hear about paperwork. Unfortunately, maintaining proper reports is vital to keeping your FISMA compliance. That’s because assessors need reports to do their jobs and FISMA actually requires them annually from government agencies. The lifehack for this is automation. There are many programs that will auto-generate reports, saving you money and manpower. Stacks of automated reports put you on the good side of assessors as it makes their job easier.
Planning Makes Perfect:
Many companies and agencies push security information to the back burner, concentrating on other aspects of the business. That is a recipe for failure; security, especially information security must be a priority if you are to pass your FISMA audit. Create a plan with a budget, even if it’s a modest budget. Showing auditors you’re serious about your security will go a long way in getting that passing grade.
Test, Analyze, Repeat:
Security controls are required by FISMA for all agencies. Although, which controls depends depend on the type of agency and information you are charged with. Testing isn’t an easy process and requires a lot of work. Put someone in charge of testing and rigorously evaluate the current controls, the findings of the testings and how to improve. Keeping diligent documentation of the testing and use an audit-tracking system if possible.
FISMA audits shouldn’t be looked at like the taxman, coming to make your life miserable. In fact, these audits can be beneficial if looked at in the proper perspective. Picture FISMA as a means to improve your security measures, improve consumer confidence and gain new clients. In the right light, FISMA auditing is a useful tool, not a frustration-inducing event. Contact RSI Security today to learn more about your cybersecurity solutions.