Understanding the Significance of FISMA Compliance

In 2002, the U.S. federal government passed the Federal Information Security Act that requires closer monitoring of federal agencies, state agencies, and private businesses when it comes to the security of sensitive federal data. As a result, organizations have to implement certain security controls and maintain documentation of how those controls are kept, as well as whenever they're updated.

If you're working with a federal agency and you're worried you might not be in compliance with FISMA regulations when it comes to your phone provider, here's what you need to know.

What Is the Purpose of FISMA and What Does It Do?

FISMA, or Federal Information Security Management Act, is U.S. "legislation that defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats," says TechTarget.com.

FISMA was signed into law as part of the 2002 Electronic Government Act and requires federal agencies to create, record, and execute a program for information preservation and protection, with the goal of improving the administration of electronic government services and processes. The FISMA law also requires program officials, as well as the head of each agency, to conduct annual reviews or audits of information security programs, with the purpose of keeping risks at or below the acceptable levels in a timely, economical way.

What Does It Mean to Be FISMA-Compliant?

FISMA compliance is just a piece of a larger act called the E-Government Act of 2002. FISMA is one of the most critical governmental data security rules and guidelines, and compliance involves reducing the safety risk to government information and determining what to do with federal funds on securing information.

As a result, federal agencies are required to abide by a set of rules and standard security measures established by FISMA. These requirements are for both federal agencies as well as state agencies that administer federal programs such as Medicare.

Private businesses that have a contract with the government are also required to follow these rules. As of April 2010, agencies must provide live system data to FISMA auditors, which helps them continuously keep track of information systems monitored by FISMA.

FISMA Low, Moderate, and High-Impact Systems

FISMA provides different implementation options, depending on the levels of impact (high, moderate, low) for an agency or organization in the case of a security breach (loss of integrity, privacy, or accessibility).

Low-Impact Systems. Low-impact systems are systems that can survive being compromised and would only have a minimal negative effect on the organization or individuals.

Moderate Systems. Moderate systems usually cannot withstand a security breach. Attacks on moderate systems can result in serious consequences to the organization's individuals, operations, and organizational assets.

High-Impact Systems. High-impact systems are the least resistant to sustaining a breach in security. A breach could result in catastrophic damage to the organization and potentially lead to a shutdown of operations, a severe loss of intellectual property, physical damage to individuals, or significant financial loss.

FISMA Compliance Checklist

In order to remain in compliance with FISMA, use the following checklist to avoid penalties.

Maintain an Information System Inventory. Government agencies and contractors working with or for the federal government have to maintain an inventory of the information systems used. They are also required to pinpoint how these information systems are entwined with other systems in their network.

Categorize Information Systems. Companies must classify their data and data systems by risk to make sure that sensitive data and the systems that use that data are awarded the highest security ranking.

Maintain a System Security Plan. Agencies must compose a plan for data security according to FISMA regulations. Meaning, the plan has to be consistently updated and must detail things such as security policies, security controls employed throughout the company or agency, and a timeline for when more controls will be initiated.

Use Security Controls. Standard security controls must be applied to strictly fit the organization’s mission requirements and operational environments, and then documented in the System Security Plan. The document entitled “NIST Special Publication 800-53” includes a long list of recommended security controls to stay in compliance with FISMA.

However, you're not required to abide by the entire list, but you are expected to use the controls relevant to your agency and systems.

Conduct Risk Assessments. This FISMA regulation is a key component of the requirements of data security. Organizations must assess and validate their security controls to determine if their system requires any additional controls to continue to protect the organization's assets, operations, individuals, and other organizations.

Accreditation and Certification. System controls have to be functioning well and in good condition to get certified. Program officials are required to hold yearly security audits to make sure that risks are minimized. Agencies must undergo a four-step process:

  1. Introduction and planning
  2. Certification
  3. Accreditation
  4. Constant monitoring

What Is a FISMA Audit?

A FISMA audit is a review of an agency or organization's security controls and systems to make sure the agency is secure enough to survive a potential data breach. FISMA audits help agencies stay in compliance with the rules. Generally, auditors will verify the risk assessment process and determine whether current security controls are effective enough.

What Happens If You Don't Comply with FISMA?

Federal agencies, private businesses, and other organizations in violation of FISMA regulations become noncompliant. The penalties for FISMA noncompliance include, but are not limited to:

  • Decrease in federal funding
  • Admonition by Congress
  • Reputational harm

Is Your Business Phone Provider FISMA-Compliant?

When searching for a business phone provider, it's important to find one that complies with FISMA regulations. Working with one that is not FISMA-compliant could get you into serious trouble.

8x8 is rated as enterprise-ready by the Skyhigh CloudTrust Program. Companies that hold this prestigious designation are known to satisfy the most stringent Cloud Security Alliance (CSA) requirements for identity verification, service security, data protection, legal protection, and business practices. 8x8 goes to great lengths to protect the security and compliance of mission-critical communications.

When it comes to security, 8x8 provides reliable and compliant cloud solutions at a demanding level rarely seen by other cloud providers. Don't take your chances with a subpar cloud-based telecom system. Call 1-866-879-8647 or fill out our online form to request a no-obligation quote from an 8x8 Product Specialist.

  • Request a

    or call 1-866-835-2979