The U.S. federal government collects vast quantities of data every minute, some of which it shares with the agencies and contractors that perform many of its functions. Those contractors are legally required to maintain the safety and security of that data to prevent its exposure to loss or theft. The Federal Information Security Management Act (FISMA) is the law that governs those data security efforts.
What is FISMA?
The Department of Homeland Security (DHS) administers and oversees the implementation and management of government data for the federal Executive Branch civilian agencies and contractors. Within that agency, the Office of Management and Budget (OMB) does the actual oversight work. A 2014 amendment to the terms of the original 2002 law updated the government’s cybersecurity practices:
- It relocated the federal information security information center to within the DHS;
- It revised notification policies for individuals whose private data might have been compromised by a federal contractor;
- It mandates that all agencies must report information security and data breaches to Congress both as they occur and annually, and
- It streamlined reporting to eliminate waste and improve the quality of that content.
Why Comply with FISMA?
Fundamentally, enterprises that work with federally-generated data are providing the security for that information on behalf of the U.S. government. Failure to keep it properly secured and used only in authorized ways could put the entire country at risk of damage caused by any number of threats. For that reason alone, FISMA compliance is mandated.
From the company perspective, FISMA compliance also makes good business sense. Federal contracts can be both lucrative and long-termed, so companies that get and remain in FISMA compliance are more likely to retain those federal contracts over time. Additionally, companies that advertise that they are FISMA compliant have a competitive edge over those that do not have that accreditation or certification.
Attaining FISMA Compliance
Most of the data security measures that create the FISMA matrix are products of the National Institue of Standards and Technology (NIST). NIST collects the regulations and rules that stem from federal laws and generates the processes and practices that federal agencies use to implement those regulations. In appropriate cases, the OMB enforces these practices through its Circular A-130, “Managing Information as a Strategic Resource” which requires agencies to:
- Have a plan to maintain data security;
- Assign appropriate officials to oversee the plan;
- Review the agency’s security plan on a regular basis, and
- Authorize processing relevant data before operations begin.
For FISMA compliance, NIST developed the Risk Management Framework to be a key element in an agency’s information security program by guiding the selection of security controls that will protect government-associated individuals, operations and assets.
Becoming FISMA Compliant
FISMA compliance differs from agency to agency, so every compliance process is unique to the adopting entity. Companies that follow these required FISMA guidelines will define the scope of their security plan while adopting best practices will ensure that more detailed efforts achieve the desired security goals.
Guidelines
Every FISMA security plan must have:
- An information system inventory that itemizes all the information systems contained within the organization. The inventory must also include the integration paths that connect the various aspects of the systems to each other and other entities.
- Defined categories of risk. NIST publishes standards for the categorization of federal information systems (FIPS 199) so that agencies can address specific types of risks with appropriately secured practices.
- A system security plan that is kept up to date and regularly maintained.
- Security controls that protect the data. Most companies draw their controls from the NIST publication SP 800-53.
- Risk assessments specific to the agency. The NIST SP 800-30 publication offers guidance to when addressing the risks contained within the three tiers of the risk management hierarchy: risks within the information system; risks pertaining to its business or mission process, and risks inherent in its organization.
- FISMA certification and accreditation is a four-phase process and required by all agencies that access federal data.
Best Practices
At a more granular level, companies that implement these best practice steps will move closer to achieving FISMA compliance:
- Begin by categorizing at its more granular level the information that needs protecting. Starting at the most basic level lets you build security layers up as you add measures related to subsequent layers of the corporation.
- Identify appropriate baseline controls that will provide the minimum necessary standard of security.
- Use a risk assessment procedure to finetune the security controls, based on how the enterprise uses, stores, manages or transmits that specific data.
- Document the controls as they evolve. Identifying the options chosen throughout the process provides a map that can be used to explain and clarify the controls-selection process.
- Implement the controls throughout the system. In many companies, this process becomes an ‘implement-test-revise ” loop as practical considerations further refine the security strategy.
- Review the agency-level data risks that don’t appear at the granular level. Understanding how data management affects the company’s mission can help identify where additional security measures are needed.
- Authorize the security system for whole-enterprise implementation. Again, this often requires the ‘implement-test-revise” loop before a truly effective system is in place.
- Implement monitoring practices to maintain vigilance over the security system as it interacts with workers, contractors, and other agencies.
If your company requires FISMA compliance, you can use the services of a managed IT provider to help you both attain and retain that highest standard of data security management.