Federal Information Security Management Act (FISMA)

FISMA has increased to include state agencies administering federal programs like Medicare. FISMA requirements also apply to any private businesses that are involved in a contractual relationship with the government.

FISMA Security Compliance

FISMA is one of the most important regulations for federal data security standards and guidelines. It was introduced to reduce the security risk to federal information and data while managing federal spending on information security. To achieve these aims, FISMA established a set of guidelines and security standards that federal agencies have to meet. The scope of FISMA has since increased to include state agencies administering federal programs like Medicare. FISMA requirements also apply to any private businesses that are involved in a contractual relationship with the government.

Our team aid with the implementation of FISMA requirements, establish the necessary security objectives needed for compliance, and create a roadmap to meet and comply with FISMA requirements.

Governance_risk_compliance_services.jpg

FISMA Compliance Services

CyberSeccOp risk management consultants and security analysts are experts in helping Federal agencies comply with FISMA requirements to improve their security posture.

FISMA Assessment and Security Program

FISMA compliance for vendors and subcontractors that provide information systems to agencies must prove a comprehensive annual assessments and remediation of risks identified based on FIPS 199, FIPS 200, and NIST SP 800-53 Revision 4.

  • Audit and optimization services

  • Information security program services

  • Security engineering support and vulnerability testing services

  • Network architecture analysis and design

  • System Development Life Cycle support

  • Enterprise business continuity analysis services

  • Enterprise incident response planning services

  • Security categorization of information systems and security control selection/tailoring

  • Documentation development for security policies and procedures

  • Development of system documentation and FISMA authorization

According to FISMA, a comprehensive information security program should include the following:

Information System Inventory: Every federal agency or contractor working with the government must keep an inventory of all the information systems utilized within the organization. In addition, the organization must identify the integrations between these information systems and other systems within their network.


Risk Categorization: Organizations must categorize their information and information systems in order of risk to ensure that sensitive information and the systems that use it are given the highest level of security. FIPS 199 “Standards for Security Categorization of Federal Information and Information Systems” defines a range of risk levels within which organizations can place their various information systems.


System Security Plan: FISMA requires agencies to create a security plan which is regularly maintained and kept up to date. The plan should cover things like the security controls implemented within the organization, security policies, and a timetable for the introduction of further controls.


Security Controls: NIST SP 800-53 outlines an extensive catalog of suggested security controls for FISMA compliance. FISMA does not require an agency to implement every single control; instead, they are instructed to implement the controls that are relevant to their organization and systems. Once the appropriate controls are selected and the security requirements have been satisfied, the organizations must document the selected controls in their system security plan.


Risk Assessments: Risk assessments are a key element of FISMA’s information security requirements. NIST SP 800-30 offers some guidance on how agencies should conduct risk assessments. According to the NIST guidelines, risk assessments should be three-tiered to identify security risks at the organizational level, the business process level, and the information system level.
Certification and Accreditation: FISMA requires program officials and agency heads to conduct annual security reviews to ensure risks are kept to a minimum level. Agencies can achieve FISMA Certification and Accreditation (C&A) through a four-phased process which includes initiation and planning, certification, accreditation, and continuous monitoring.

We have helped organizations achieve FISMA authorization from agencies such as the Social Security Administration, Department of Justice, General Services Administration, Health and Human Services, Department of Homeland Security, and others.