Federal Information Security Management Act (FISMA)
What is FISMA?
FISMA stands for the Federal Information Security Management Act, a United States legislation signed in 2002 to underline the significance of data security to the economic and national security interests of the United States.
FISMA requires federal agencies to develop, report, and implement a data security program to protect their information systems including those provided or managed by another agency, contractor, or another third-party.
Who must be FISMA compliant?
All government agencies, government contractors, and organizations that exchange data directly with government systems must be FISMA compliant. This may include such diverse entities as data clearinghouses, state government departments, and government military subcontractors in cases where data is exchanged directly with federal government systems.
Who is responsible for FISMA compliance?
FISMA applies to all agencies within the U.S. federal government. However, since the law was enacted in 2002, the government extended FISMA to include state agencies controlling federal programs such as unemployment insurance, student loans, Medicare, and Medicaid. The federal government further extended the venture of FISMA into the private sector and significantly increased implementation oversight. Now, any private sector organization that has a contractual relationship with the government, whether to provide services, support a federal program, or receive grant money, must comply with FISMA.
What are the top FISMA requirements?
The National Institute of Standards and Technology (NIST) plays an important role in the FISMA Implementation Project launched in January 2003, which produced the key security standards and guidelines required by FISMA. These publications include FIPS 199, FIPS 200, and the NIST 800 series.
The top FISMA requirements include.
- Information System Inventory: Every federal agency or contractor working with the government must keep an inventory of all the information systems used inside the organization. In addition, the organization must identify the integrations between these information systems and other systems within their network.
- Risk Categorization: Organizations must classify their data and information systems in order of risk to ensure that sensitive data and the systems that use it are given the topmost level of security. FIPS 199 states that Standards for Security Categorization of Federal Information and Information Systems defines a range of risk levels within which organizations can place their different information systems.
- System Security Plan: FISMA requires agencies to create a security plan which is regularly maintained and kept up-to-date. The plan should cover things such as the security controls executed inside the organization, security policies, and a timetable for the introduction of further controls.
- Security Controls: NIST SP 800-53 outlines an extensive catalog of recommended security controls for FISMA compliance. FISMA does not require an agency to execute each and every control; rather, they are instructed to execute the controls that are relevant to their organization and systems. Once the appropriate controls are selected and the security requirements have been fulfilled, the organizations must archive the selected controls in their system security plan.
- Risk Assessments: Risk assessments are a key component of FISMA’s data security requirements. NIST SP 800-30 offers some guidance on how agencies should lead to risk assessments. According to the NIST guidelines, risk assessments ought to be three-layered to identify security risks at a different level, namely, the organizational level, the business process level, and the information system level.
- Certification and Accreditation: FISMA requires program authorities and agency heads to lead yearly security audits to ensure risks are kept to a base level. Agencies can achieve FISMA Certification and Accreditation (C&A) through a four-phase process which consists of initiation and planning, certification, accreditation, and continuous monitoring.
What is the FISMA compliance framework?
After the passing of FISMA, the NIST (National Institute of Standards and Technology) took a primary role in the implementation of the law. Basically, the organization created and promoted standards to be used by federal agencies and government contractors to be FISMA compliant. These standards were published along with supplementary best practice materials and include.
- FIPS Publication 199: The Federal Information Processing Standard (FIPS 199) is a standard for security categorization in federal information systems. It was put in place in February 2004. It expects agencies to classify their information systems as low-effect, moderate-effect, or high-effect for the security objectives of confidentiality, integrity, and accessibility.
- FIPS Publication 200: This document set minimum security requirements for federal information and information systems as of March 2006. It covers seventeen security-related areas with regard to protecting the confidentiality, integrity, and accessibility of federal information systems and the information processed, stored, and transferred by those systems.
Each security-related areas fall under three main classes of security controls, namely, management, operational, and technical. The list is as follows:
- Certification, Accreditation, and Security Assessments (CA)
- Planning (PL)
- Risk Assessment (RA)
- System and Services Acquisition (SA)
- Awareness and Training (AT)
- Configuration Management (CM)
- Contingency Planning (CP)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Physical and Environmental Protection (PE)
- Personnel Security (PS)
- System and Information Integrity (SI)
- Access Control (AC)
- Audit and Accountability (AU)
- Dentification and Authentication (IA)
- System and Communications Protection (SC)
- NIST SP 800-18: Standing for Special Publication, SP 800-18 was the first of many special publications. It presented a guide for developing security plans for federal information systems. The first version came out in February 2006.
- NIST SP 800-30:This special publication is a guide for conducting risk management for federal information systems, first published in September of 2012.
- NIST SP 800-37:A guide for applying the risk management framework to federal information systems, this publication provided a security life cycle approach and was last updated in June 2014.
- NIST SP 800-39: This special publication on managing information security risk: organization, mission, and information systems; was published in March 2011.
- NIST SP 800-53:This publication covers security and privacy controls for federal information systems and organizations and was published in April 2013. This publication describes in detail the security controls related to the designated impact levels of the organizational information systems.
- NIST SP 800-59: This special publication provides a guideline for identifying an information system as a national security system and was published in August 2003.
- NIST SP 800-60: This publication consists of two volumes, Volume I of SP 800-60 was published in August 2008 and acts as a guide for mapping types of information systems to security categories. Volume II, published at the same time and serves as the Appendices to Volume I.
- NIST SP 800-137: This publication is a guide to information security continuous monitoring (ISCM) for federal information systems and organizations, published in September 2011.
- NIST SP 800-160: This more recent publication, published in September 2016, is a systems security engineering guideline. It provides an integrated approach to building trustworthy and resilient systems.
How is FISMA compliance validated?
The compliance audit and validation process consists of three processes.
1. Data feeds directly from security management tools: On a month to month and quarterly premise, agencies must connect to CyberScope, the FISMA online compliance tool and feed data in the following areas:
- Systems and Services
- External Connections
- Security Training
- Identity Management and Access
2. Government-wide benchmarking on security posture: On a month to month and quarterly premise, agencies must connect to CyberScope, the FISMA online compliance A set of questions on the security posture of the organizations will also be asked in CyberScope. All organizations, except small scale offices, will be required to respond to these questions in addition to the data feeds described previously.
3. Agency-specific interviews: As a follow-up to the questions described above, a team of government security authorities will interview all agencies individually on their respective security postures.
These interviews will be focused on specific threats that each and every agency faces as components of its unique mission.
What are the consequences of non-compliance?
FISMA holds federal agencies accountable to secure government information. Failure to pass a FISMA inspection can result in.
1. Data feeds directly from security management tools:On a month to month and quarterly premise, agencies must connect to CyberScope, the FISMA online compliance tool and feed data in the following areas:
- Censure by Congress
- Reduction in federal funding
- Reputational damage
How Nemasis helps to achieve FISMA?
Nemasis is partnering with federal departments and agencies to enable them to meet their regulatory requirements. Nemasis provides full end-to-end security solutions and services for government agencies and subcontractors to help them meet FISMA compliance using security control classes defined in FIPS 200 and described in detail in NIST SP 800-53 Revision 4.
Nemasis-VA is a vulnerability management suite that proactively supports the entire vulnerability management lifecycle, including discovery, detection, verification, risk classification, analysis, reporting, and mitigation
In the context of FISMA, Nemasis-VA helps agencies to:
- Get a clear sense of the real risk presented by identified IT vulnerabilities and misconfigurations across your organization (RA).
- Quickly focus around items that pose the greatest risk (RA).
- Maintain the inventory of your systems, services, and applications (SA)
- Detect and report unauthorized software (SA)
- Perform comprehensively unified vulnerability scanning of all important systems including networks, operating systems, web applications, databases, venture applications, and custom applications (RA)
- Efficiently detect misconfigurations and vulnerabilities so they can meet security policies, laws, and regulations (CM).
- Monitor software installation policies (SA).
- Audit clients and groups on your systems (PS).
- Discover accounts that were terminated (PS).
- Manage remediation plans (SI).
- Support incident responses by providing details on vulnerabilities and misconfigurations that were exploited, as well as remediation steps to protect them from future exploits (IR).
- Validate authorization of access restrictions (AC).
- Test external and internal boundaries defenses (SC).
- Deliver auditable and reportable events on vulnerabilities throughout the organization (AU).
Likewise, Nemasis-VA clients can meet FISMA requirements by creating CyberScope reports based on USGCB and FDCC checklists. Federal agencies and contractors must use CyberScope solutions in order to submit their monthly FISMA reports.