The Federal Information Security Management Act (FISMA) of 2002 (later updated in 2014 through the Federal Information Systems Modernization Act) was introduced to strengthen cybersecurity defenses of federal information networks and systems. It requires US federal agencies to create and embed information security plans to protect government networks, which help to strengthen federal IT systems and networks by making cybersecurity defense programs a requirement for government agencies.
Compliance with FISMA reduces the risk to sensitive data within federal systems, as organizations embed baseline security controls and procedures in order to protect sensitive government information. FISMA compliance means organizations take a risk-based approach to cybersecurity, strengthening the areas of the network most at risk of a harmful data breach.
Federal agencies must be compliant, but FISMA is also relevant to any organization that is part of the federal information network.
Organizations that provide services to federal agencies or contractors and subcontractors within the supply chain could also be subject to FISMA requirements. It was created to achieve a consistent level of protection across federal systems and networks, including supply chain contractors.
Compliance includes several stages, from embedding the correct security controls, to actively monitoring ongoing compliance. An important element of FISMA is the regular reporting of compliance. The organization will need to continuously monitor controls and systems to maintain and document compliance. FISMA compliance must be regularly measured and reported to the Office of Management and Budget (OMB), which publishes an annual report on federal agencies’ compliance performance. This encourages a culture of continuous improvement, identifying and strengthening cybersecurity controls.
Here is a 7-step checklist to stay in compliance with the core requirements of FISMA.
Your FISMA Compliance Checklist
FISMA encourages a risk-based approach to cybersecurity. The creation of a risk management system means that system security controls are embedded relative to the risk from data breach. This takes into account the likelihood of a breach happening, and the level of damage it may cause.
There are clear steps that organizations can take to be compliant with the core requirements of FISMA. These include the initial scoping of systems, the embedding of controls, and the continuous review and improvement of system defenses.
The 7-step checklist for FISMA compliance is as follows:
- Create and maintain an information system inventory
- Categorize information systems by risk level
- Create a system security plan
- Comply with NIST guidelines and controls
- Create a Risk assessment plan
- Certify and accredit any new IT system, software, assets, or hardware
- Continuously monitor security controls and systems
1. Create and maintain an information system inventory
The first step is to create and maintain an inventory of information systems within the organization. The document should clearly outline network boundaries and how each system connects. It should be an up-to-date snapshot of the systems in use by the federal agency and the external system connection points. The existence of an information system inventory is a requirement for FISMA compliance, so should be created by all relevant organizations.
The inventory helps organizations understand each system and any entry points across the system boundary. This is key when designing any information management plan or performing risk assessments. Network and system scoping will also outline the elements of the system that process or store sensitive data, helping to inform a risk management plan. Diagrams of systems will allow organizations to understand and document data flow, helping to prioritize resources to protect sensitive areas. Areas of the system under high risk will require enhanced security controls, so initial system scoping and inventory mapping are important.
2. Categorize information systems by risk level
FISMA compliance means the development of a risk-based approach to information system security. The system elements outlined in the inventory in step one should be categorized depending on the level of security risk. The level of risk from data breaches or cybersecurity incidents informs the degree of protection required. Risk levels are set by the potential damage to the overall operation, or the type of information held on the system. Classifying the data that different systems may process or store is a useful step to gauge the level of risk from cybersecurity threats.
Categorization by risk level helps to prioritize focus and reduce the waste of resources. Organizations can use this information to implement enhanced controls and protection in the places that need it. Systems at higher risk from data breaches or cybersecurity incidents will require enhanced controls and protection.
3. Create a system security plan
A system security plan (SSP) is a key document that keeps a comprehensive record of cybersecurity controls, policies, and procedures. It should be treated as a living document that is regularly reviewed and maintained, representing an up-to-date snapshot of system security actions.
The SSP should also document any controls or requirements that the organization is working towards implementing. Part of the document should be a plan of action with milestones (POAM) for achieving compliance with information system controls and guidelines. This positions the document as an important way of evidencing compliance with FISMA requirements.
4. Comply with NIST guidelines and controls
FISMA requires the National Institute of Standards and Technology (NIST) to develop cybersecurity controls, guidelines, and requirements to help strengthen federal information systems. The aim is to achieve a consistent baseline level of cybersecurity protection across federal systems and supply chains. To achieve FISMA compliance, federal systems must meet the security requirements outlined in the relevant NIST publication.
NIST 800-53 is a series of cybersecurity controls designed to improve the resilience of information systems.
It contains more than 1,000 security controls set out across 20 different areas. Security topics are comprehensive, spanning from personnel security to physical and environmental protection. Compliance with NIST 800-53 is a key step towards achieving FISMA compliance.
NIST 800-53 is part of a series of publications by NIST providing security controls, guidelines, and reports around information systems and cybersecurity. Other publications include NIST 800-171, a series of controls to protect Controlled Unclassified Information on non-federal systems, which is particularly relevant to defense contractors or organizations in the federal supply chain.
5. Create a risk assessment plan
As previously mentioned, FISMA requires federal agencies to take a risk-based approach to safeguarding information systems. An integral part of this is the creation of a risk assessment plan. It helps organizations create an environment of continuous risk assessment, monitoring, and adapting to emerging threats to their systems. The aim is to identify risks and threats to the federal system and uncover any system vulnerabilities that should be fixed. By continuously assessing and auditing for risks and threats, organizations can proactively strengthen system resilience.
6. Certify and accredit any new IT system, software, assets, or hardware
Organizations should embed a process for reviewing and accrediting any new or existing software, hardware, or assets that are part of the federal network and systems. Any new software or hardware should be scrutinized against security controls to highlight any potential vulnerabilities. Consideration of secure configuration policies will ensure new software or assets are installed safely and securely.
Federal systems are made up of many different off-the-shelf operating systems, software, or assets. Each one can be used as leverage to access the federal system if not properly configured. An up-to-date inventory of accredited systems, software, or assets should be maintained to keep track of any vulnerabilities. An established system for reviewing and accrediting systems or assets should be standardized, lowering the resources required.
Examples of software, systems, and hardware to be reviewed and certified include:
- Browsers and desktop applications.
- Mobile devices and printers.
- Operating systems.
- Information system hardware and devices.
- Cloud networks.
- Network devices, routers, and servers.
Properly certifying software and assets as safe makes the system boundaries as secure as possible. Uncertified software and assets can increase the risk of cybersecurity incidents or data breaches and can be leveraged for unauthorized access. Keeping accredited devices and software up-to-date and securely configured lowers the risk to the wider network.
The Department of Defense (DoD) uses Security Technical Implementation Guides (STIGs) to securely install and configure software and systems. Each guide outlines a range of configuration controls categorized by risk level. Compliance with the controls covering the most at-risk configurations is vital for securing the DoD system. The use of STIGs are required for any federal system or contractor network that connects to the DoD network.
7. Continuously monitor security controls and systems
Once FISMA compliance is achieved, the project doesn’t stop there. FISMA compliance is an ongoing commitment and requires continuous monitoring of security controls to keep secure against emerging risks and threats. Regular reporting from federal agencies is an integral part of FISMA.
An environment of continuous monitoring and renewal is important for information system security. Cybersecurity threats change and evolve, with new risks continuously emerging. Information system defenses and policies should not be static. System configurations can become outdated, with new vulnerabilities caused by product updates and version changes.
Continuous monitoring may include:
- Regular audits of security controls and requirements across devices and systems.
- Regular risk assessments of any emerging threats or risks.
- In-depth risk assessments and ongoing monitoring of any changes to the federal system, to identify and resolve any vulnerabilities.
- Vulnerability scans of network and firewall configuration.
- Active monitoring of system configurations.
Any continuous monitoring of security controls and systems will need the correct levels of resources. A well-resourced team with access to the correct auditing tools will make FISMA compliance straightforward. Monitoring controls and resolving issues takes time and effort but is vital for ensuring ongoing system security.
Secure your network
Titania Nipper is an accurate firewall audit tool and network configuration audit tool that can help organizations achieve compliance with FISMA. Nipper will automate the assessment of 94% of the core network
controls needed for FISMA compliance, saving auditors time and resources with each scan. Identify vulnerabilities in routers, firewalls and switches to reach compliance today.