FISMA Compliance

Achieve Federal Information Security Management Act (FISMA) Compliance can be hard work, but is rewarding after completed. FISMA was designed to protect your company’s assets and information systems against a breach of security, loss of confidentiality of data, and or damage to your reputation. Also, it is a requirement to do business with the federal government. An independent review of your company’s Information Security Program must be conducted annually to maintain FISMA compliance.

What is FISMA Compliance?

FISMA stands for Federal Information Security Management Act also known as the E-Government Act of 2002. The FISMA Act was passed by US congress on December 2002 but was reformed in 2014 (refer to Federal Information Security Modernization Act of 2014). Over several years of working with the DoD and being actively involved in high-level Commercial working groups, we are fully aware of current trends and active FISMA Compliance related guidance. Equipped with this knowledge, we developed a custom-tailored approach to preparing clients for positive accreditation with risk management framework at its core. When it pertains to FISMA compliance, agencies face a dual responsibility. First, is to meet the specific requirements established by NIST in support of the FISMA requirements. The second, is to be able to provide a risk-appropriate level of assurance that critical information security controls are operationally effective and producing the intended outcomes.

Who is required to be FISMA compliant?

In the beginning, only agencies within the Federal Government were required to follow FISMA compliance. Then, State Agencies who administer federal programs had to follow suite. This would include Medicare, Medicaid, unemployment insurance, student loans, etc. Now, it has been expanded to the private sector including any companies performing projects supporting or funded by the U.S. Federal Government.

FISMA Requirements

Prepare System Inventory

Categorize information systems

Select a System Security Plan

Implement Security Controls

Certification & Accreditation

How to achieve FISMA compliance

Prepare information systems boundaries
Categorize the information system risk using NIST 800-60 / FIPS 199
Select security controls based on the objectives of providing appropriate levels of information security according to a range of risk levels and guidelines recommending the types of information and information systems to be included in each such category using NIST 800-53 Rev. 5 or FIPS 200
Implement NIST 800-160 Rev. 2 Controls – Developing Cyber Resilient Systems
Assess your security controls (NIST 800-53)
Authorize information system security risk (NIST 800-37 Rev. 2)
Monitor controls and system risk in real-time

Benefits of Becoming FISMA Compliance

While the main benefit of achieving FISMA compliance is passing the regulator compliance assessment, there are many other benefits. One being you will be allowed to bid on federal government contracts which could be very lucrative investment for your company. Choosing to implement a framework like FISMA is no simple task, but it will allow an organization insight on their current security risks. If your organization is considering adopting the FISMA compliance framework but isn’t sure how to get started Praetorian Secure can help. We have premade templates and will hold your hand through the entire process. Contact us today to learn about the other compliance services we offer such as RMF Compliance, MARS-e Compliance, NIST Compliance, and more.