Unpacking FISMA Compliance with Elinext Experts

In 2021, US federal agencies reported 32,511 information security incidents. With the responsibility of managing vast volumes of confidential data, government organizations face multiple challenges in keeping that information safe from ever-evolving cyber threats. To bolster their defense, compliance with key standards is paramount. And today we delve into one such standard, FISMA, as we move forward in our expert interview series.

What is FISMA?

FISMA, short for the Federal Information Security Management Act, is a legislative act in the US focused on electronic government. It was established to enhance information security and to support the operations of federal government agencies. Under FISMA, every federal agency is required to develop, document, and implement a program to safeguard the information and information systems vital to their operations. This includes systems managed or provided by other agencies, contractors, or external sources.

FISMA was enacted in 2002 by President George W. Bush to reduce risks associated with the security of federal data. Considering the rapid advancement of technology, in 2014 amendments were made and the 44th President of the United States, Barack Obama, signed a new bill into law that introduced these changes. This revised legislation was named the Federal Information Security Modernization Act, but the abbreviation remained the same — FISMA.

If we look at the evolution of this law, we’ll see that it initially targeted only federal agencies at the state and national levels. However, its scope later expanded to encompass all contractors handling significant governmental information and systems. As a result, private-sector companies now seeking to collaborate with federal agencies and government institutions must follow the same information security standards as these federal entities.

What is the role of NIST with regard to FISMA?

NIST is the US National Institute of Standards and Technology that functions as the primary certification and regulatory body for FISMA. It formulates and releases standards and guidelines for achieving FISMA compliance. You can find updates and useful recommendations on how to meet FISMA requirements on their website.

The oversight provided by NIST is rooted in key publications they develop, such as FIPS 200, outlining minimum security requirements for federal information and systems, and NIST 800-53, which presents security and privacy standards for both information systems and organizations.

Why was FISMA developed in the first place?

Initially, FISMA’s objectives were as follows:

  • introduce a program for managing risks;
  • safeguard information from unauthorized usage, disclosure, disruption, alteration, or destruction;
  • guarantee the integrity, accessibility, and accessibility of protected information.

Under FISMA guidelines, systems must be accredited by an authorized official before they are allowed to operate. The official evaluates whether the security risks associated with confidential information and organizational assets, as well as potential risks to individuals and other organizations, are acceptable given the system’s setup and the common control measures in place. If deemed satisfactory, the system receives the green light.

Permission to operate is granted for three years assuming that there won’t be significant shifts in the system’s security status, either within this period or any agency-specific period. If major changes occur, re-authorization is necessary.

What are the steps necessary to achieve FISMA compliance?

As we have mentioned earlier, FISMA is a legislative act while NIST publishes the standards and requirements that help comply with this law. With that in mind, FISMA compliance can be broken down into four major steps, progressing through which is essential to secure authorization to operate a system in line with NIST guidelines.

STEP 1 Initiation

STEP 2 Certification

STEP 3 Accreditation

STEP 4 Continuous monitoring

Let’s have a closer look at each of these steps.

1.   Initiation

During the initiation phase, resources are identified, and a thorough analysis of the security system is conducted. This step ensures that everyone involved aligns with the defined security plan. It’s crucial to carry out an initial risk assessment, conduct an audit, and test the system at this stage.

At this stage, the information system owner is responsible for:

  • collecting, detailing, and categorizing the system for evaluation by the designated official;
  • classifying the system and its information based on security tiers;
  • pinpointing threats, vulnerabilities, and security measures;
  • assessing the baseline risk;
  • facilitating communication and sending notifications;
  • planning and managing resources, often in partnership with other stakeholders;
  • Updating the security plan as needed.

A primary focus during this phase is to draft and organize documentation to make sure the analysis during the certification phase is as effective as possible.

During the initial risk assessment, security categories are determined based on the potential consequences an organization might face from negative outcomes in the context of information security. These categories, when combined with insights about vulnerabilities and threats, play a crucial role in the organization’s overall risk assessment.

FISMA identifies three pillars of information security:

  • Confidentiality — safeguarding information against unauthorized access and disclosure.
  • Integrity — protecting from improper changes or deletion.
  • Availability — guaranteeing consistent and dependable access to information when needed.

Based on the security priorities, there are three levels of potential impact should there be a breach in information or system security:

  1. Low impact: a breach would cause a minor disruption to the organization, its assets, or its individuals.
  2. Moderate impact: a breach would result in a significant disruption affecting the organization’s operations, its assets, or individuals.
  3. High impact: a breach would lead to a major or even catastrophic disruption, severely affecting the organization, its assets, or its individuals.

After laying down the foundational concepts and preparing the necessary documentation, the authorized official to security certification.

2.   Certification

During this phase, it’s essential to confirm that all system controls are set up as initially planned. If there are any gaps or oversights, they are documented and the entire set of documents is revised before moving to the next step.

Throughout this process, the system owner works hand-in-hand with the authorized official to ensure the system is optimized and to prepare the documents for the upcoming accreditation stage. Key responsibilities of the system owner include:

  • providing comprehensive documentation and relevant supplementary materials;
  • regularly updating the security plan for the system;
  • outlining a clear action roadmap and preparation steps;
  • preparing a complete set of documents ready for authorization.

Once the second step is successfully completed, the full set of documents related to the information system is transferred to the third step of security accreditation.

3.   Accreditation

During this phase, the information is presented to the authorized official, who assesses whether the final risk aligns with what is considered acceptable risk. The official takes into account the agency’s day-to-day operations. Moreover, this official engages in discussions with the system’s owner and primary stakeholders. This collaborative approach ensures a comprehensive understanding of the situation and supports an informed decision-making process.

This stage is the make-or-break moment as it is decided if the information system gets the green light to operate. If there are hiccups in the paperwork or some red flags in the analysis, the authored official might offer a provisional approval with certain constraints. This kind of approval is limited in time and highlights the areas needing fixing. The hope is that these can be addressed quickly, leading to a full, long-term permission down the line.

After the system has been accredited, the authored official becomes responsible for the system’s security, bearing full accountability for any adverse outcomes the agency might face due to security breaches. Hence, the official has a vested interest in thorough analysis and meticulous scrutiny of the system’s information security.

4.   Continuous monitoring

The fourth step wraps things up, but at the same time, it sets the stage for a fresh review cycle of the information system and its documentation. This step is ongoing monitoring and it includes:

  • configurations management;
  • security monitoring;
  • status report and documentation.

The primary focus is on maintaining a high level of security by monitoring security control elements, documenting any updates, and identifying emerging vulnerabilities. If an organization makes significant modifications to the security plan, re-accreditation might be necessary.

During this stage, the information system owner is responsible for:

  • documenting changes to the information system;
  • conducting a security impact analysis;
  • overseeing security and carrying out assessments;
  • updating the security system plan;
  • providing status reports.

This step calls for comprehensive documentation that captures all the hardware, software, and various components of the information system in use. Any tangible changes to the system, like adding new computers or altering room access, should be clearly noted.

Wrapping up

As it is clear from the discussion above, FISMA is not a suggestion — it’s a mandate for all federal bodies to ensure their data remains secure and intact. And this isn’t limited to the government entities alone. Any subcontractor or external supplier working for federal agencies falls under FISMA’s purview. The protective measures set up are directly tied to the potential risk and the possible damage that could arise from unauthorized breaches or malicious misuse of this data. And the stakes for non-compliance are high. Federal agencies could see their funding dry up, while subcontractors could lose current contracts and miss out on future government-funded opportunities.

Staying current on the most important information security standards is a must in today’s cyber-centric age. At Elinext, our business analysts keep their fingers on the pulse to help our clients navigate the intricate web of regulations and implement robust and secure solutions tailored to their unique business needs.

Contact Us
Contact Us


    Insert math as
    Block
    Inline
    Additional settings
    Formula color
    Text color
    #333333
    Type math using LaTeX
    Preview
    \({}\)
    Nothing to preview
    Insert