The Federal Information Security Management Act, or FISMA, was passed by the United States Congress in 2002 in response to the growing concern of cybersecurity threats against federal IT networks. Through FISMA, the US government sought to enhance its cybersecurity maturity and reduce the risk to federal information and data.

Applies beyond the federal government

Whilst FISMA was initially applicable to only US federal agencies, over time, the law has evolved to also include state agencies administering federal programs (e.g. Medicare, Medicaid, unemployment insurance, etc.). The US government further expanded the scope of FISMA into the commercial sector – i.e. organizations that have a contractual relationship with the government, whether to provide services, support a federal program, or receive grant money.

Implement an effective cybersecurity program

FISMA requires federal agencies to manage their risks at or below specified acceptable levels in a cost-effective, timely and efficient manner. Each agency must develop, document and implement an agency-wide program to provide information security. In support of this effort, they are required to take a number of steps to ensure the protection of sensitive government data and information through:

• Establishing a System Security Plan (SSP)
• Categorizing information and information systems according to risk level
• Maintaining an inventory of information systems
• Employing monitor security controls
• Conducting timely and accurate risk assessments
• Achieving FISMA certification and accreditation

Continually monitor implementation of security controls

Agencies are expected to monitor the implementation of security controls on an ongoing basis, enabling these organizations to respond quickly to security incidents or data breaches. A key element of this effort is configuration management and tracking changes, where deviations between the desired and actual state of the network are highlighted and addressed.

The role of NIST

As directed by FISMA, the National Institute of Standards and Technology (NIST) is responsible for maintaining and updating the compliance documents that govern many of the FISMA requirements. For instance, agencies must select and apply the appropriate security controls and assurance requirements described in NIST 800-53, which are documented in their respective SSPs. NIST 800-30, on the other hand, provides guidance on how agencies should perform risk assessments. And what is required in terms of certification and accreditation is defined in NIST 800-37.

Annual Reviews

Agencies are expected to conduct annual reviews of their respective information security programs and report those findings to the Office of Management and Budget (OMB), which uses these data to assist in its oversight responsibilities and to prepare an annual report to Congress on federal FISMA compliance.

Penalties for lack of compliance

Organizations that fail to comply with FISMA requirements are at risk of stiff penalties. These could include reduced funding or congressional censure. But, for federal contractors subject to FISMA, the failure to comply could result in not only financial consequences, such as loss of contracts, but also long-term reputational damage.

Save time and resources conducting FISMA compliance assessments

So it’s important that government agencies and private sector contractors alike do everything possible to maintain compliance with FISMA. And when they conduct their annually required assessments, it’s key to have the fullest picture of their organization’s network posture, security and compliance. That’s where accurate tools, like Titania Nipper, can save network owners both time and resources when conducting FISMA assessments.

Trusted by US federal agencies, including the US Department of Defense (DoD), Nipper accurately automates core network device assessments and is proven to save up to 3 hours per device audit by not investigating false positives generated by competitive solutions. Nipper conducts its assessments against trusted risk management and control frameworks and benchmarks, including 34 (94%) of NIST 800-53 controls related to core network devices, across the following 10 control families.

Matt Malarkey