Federal agencies, subcontractors, service providers, and organizations that operate IT systems on behalf of Federal agencies need to be aware of their compliance with the Federal Information Security Management Act (FISMA). This Act exists to safeguard the importance of information security related to the economic and national security interest of the United States.
Despite serious administrative, public relations, and financial consequences of failing to maintain FISMA compliance, surveys as recent as 2012 reveal that only 7 Federal agencies achieved more than 90 percent FISMA compliance and other reports indicate that many of these agencies still struggle with access controls, configuration management, and segregation of duties.
This indicates that maintaining FISMA compliance is not as simple as establishing security standards and abiding by them; organizations must proactively monitor and report on the data they process, store, and transmit in order to ensure its ultimate security.
About FISMA Compliance
FISMA was established in 2002 as a section of Title III of the E-Government Act of 2002. The main purpose of this Act is to provide security protocol for any organization associated with the United States government, including federal agencies, subcontractors, service providers, and organizations operating IT systems on behalf of those Federal agencies.
To maintain economic and national information security, FISMA sets forth seventeen minimum security-related areas that focus on confidentiality, integrity, and availability of federal information systems and the information they process, store, and transmit. These standards were updated in 2014 and signed into law as the Federal Information Security Modernization Act of 2014.
This law modernizes the original security practices with updates that reassert the authority of a number of government officials; require agencies to notify Congress of major security incidents within seven days; and modify the reporting guidance on threats, vulnerabilities, incidents, and compliance status of information systems.
Tips for Remaining FISMA Compliant
Organizations that need to maintain FISMA compliance are intimately aware of the hurdles of staying compliant and fulfilling the requirements as they apply to national security. Here’s a simplified approach to understanding and maintaining FISMA compliance over the long term:
- Understand your FISMA category
The type of information your organization manages will determine your level of required information security in order to maintain FISMA compliance. Review FISMA to understand the types of information and information systems that are included in each category as well as the minimum information security requirements that will go along with each category.
- Refine, document, and implement your controls
Once you have selected the minimum baseline controls according to your FISMA category, use a risk assessment procedure to refine your controls, document them in a system security plan, and implement them in the appropriate information systems. These particular steps will ensure a streamlined process and the ability to track your progress (and changes to the process) over time.
- Evaluate agency-level risk to the mission or business case
Once your process is refined and documented, it is vital that you review that information and evaluate what risk it poses to national and economic security. Then you will be able to authorize the information system for processing knowing you have done your due diligence to prevent data breach or mishandling.
- Review your programs annually
FISMA requires program officials and the heads of each agency to perform annual reviews of information security programs. Conduct these reviews regularly to keep risks at or below the levels outlined within the Act.
FISMA compliance is a major step in maintaining the security of vulnerable consumer data. For more information about FISMA compliance solutions for companies that process, store, or transmit information related to economic and national security, click here.
Also, discover Sarah’s thoughts on PCI and HIPAA compliance.