What You Should Know About FISMA Compliance
In 2002, the federal government passed the Federal Information Security Act that requires closer monitoring of federal agencies, state agencies, and private businesses when it comes to the security of sensitive federal data. As a result, organizations have to implement certain security controls and maintain documentation of how those controls are maintained, as well as whenever they're updated. If you're working with a federal agency and worried you might not be in compliance with FISMA regulations, here's what you need to know to learn about exactly what FISMA compliance is and how to stay in compliance.
What is FISMA and What Does it Do?
FISMA stands for Federal Information Security Management Act and its "U.S. legislation that defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats," according to TechTarget.com. FISMA was signed into law as part of the Electronic Government Act of 2002.
The FISMA law made it a requirement for federal agencies to create, document, and implement an information security and protection program. The goal was to improve the management of electronic government services and processes, according to Digital Guardian. The FISMA law also requires program officials - as well as the head of each agency - to conduct annual reviews or audits of information security programs, usually with the purpose of keeping risks at or below the acceptable levels in a timely, economical way.
What is FISMA Compliance?
You may be wondering, "What is FISMA compliance?" and "How does it affect my agency or organization?"
FISMA compliance is part of a larger act called the E-Government Act of 2002 and it was introduced to improve the management of electronic government procedures and services. As one of the most important regulations for federal data security standards and guidelines, FISMA compliance involves reducing the security risk to federal information and data and managing federal spending on information security. As a result, federal agencies are required to abide by a set of guidelines and security standards established by FISMA. These requirements are for both federal agencies as well as state agencies that administer federal programs such as Medicare. Private businesses involved in a contractual relationship with the government are also required to follow these rules. As of April 2010, agencies were required to provide real-time system information to FISMA auditors, which helps them continuously monitor any FISMA-regulated information systems.
FISMA Low, Moderate, and High-Impact Systems
Low Impact Systems. Low-impact systems are systems that can survive being compromised and that would only have a minimal negative effect on the organization or individuals.
Moderate Systems. Moderate systems usually cannot withstand a security breach and attacks on moderate systems can result in serious consequences to the organization's individuals, operations, and organizational assets.
High-Impact Systems. High-impact systems are the least resistant to sustaining a breach in security. A breach could result in catastrophic damage to the organization and potentially lead to a shutdown of operations, a severe loss of intellectual property, physical damage to individuals, or significant financial loss.
What Is NIST Compliance and How Does It Relate to FISMA?
The National Institute of Standards and Technology (NIST) plays a vital role in the FISMA Implementation Project launched in January 2003, which shaped the main security standards and rules required by FISMA. The NIST regulations include nine steps to being in compliance with FISMA, which include:
- Categorizing the information to be protected.
- Selecting minimum baseline controls.
- Refining controls using a risk assessment procedure.
- Documenting the controls in a system security plan.
- Implementing security controls in appropriate information systems.
- Assessing the effectiveness of the security controls once they have been implemented.
- Determining agency-level risk to the mission or business case.
- Authorizing the information system for processing.
FISMA Compliance Checklist
In order to remain in compliance with FISMA, use the following checklist to avoid penalties.
Maintain Information System Inventory. Any federal agency or contractor working with or for the federal government has to keep an inventory of all the information systems used within the organization. The organization is also required to identify the integrations between these information systems and other systems in their network.
Categorize Information Systems. This rule states that organizations must categorize their information and information systems by risk to make sure that sensitive data and the systems that use that data are given the highest level of security.
Maintain a System Security Plan. Agencies are now required to create a security plan according to FISMA regulations, meaning it has to be consistently kept up to date. The plan must detail things such as security policies, security controls employed within the organization, and a timeline for when more controls will be initiated.
Use Security Controls. FISMA regulations require applying standard security controls to strictly fit the mission requirements and operational environments, and then documented in the System Security Plan. The document entitled NIST SP 800-53 includes a long list of suggested security controls for FISMA compliance. However, you're not required to abide by the entire list, but you are expected to use the controls relevant to your organization and systems.
Conduct Risk Assessments. This FISMA regulation is a key component of the information security requirements. It states that organizations must assess and validate their security controls to determine if their system requires any additional controls to continue to protect the organization's assets, operations, individuals, and other organizations. The NIST guidelines mandate that risk assessments be three-tiered to make it easier to find security risks each level - information system, business process, and organizational levels.
Certification and Accreditation. This regulation pronounces that system controls have to be functioning well and in good condition to get certified. Every year, program officials are required to hold annual security reviews to make sure that risks are minimized. Agencies must go through a four-step process:
- initiation and planning,
- accreditation, and
- continuous monitoring.
Penalties for FISMA Non-Compliance
Federal agencies, private businesses, and other organizations in violation of FISMA regulations become non-compliant. The penalties for FISMA non-compliance include (but are not limited to):
- reduction in federal funding
- censure by Congress, and
- reputational damage.
Understanding FISMA regulations isn't as difficult as it may seem. As long as you implement the best security controls and systems and use common sense when it comes to keeping systems up to date and well maintained, you'll be in good shape to pass your upcoming FISMA audit. Stay in compliance by making sure your security systems are up-to-date and in great shape.
- Minimal experience and training required.
- Works with a computer and 8x8-provided Polycom IP phones.
- Simple point-and-click management of all calls.
- Unlimited search and sorting capabilities to quickly find any user or extension.
- Click to dial any extension.
Increased Visibility and Productivity
- At-a-glance view of the presence and availability of every user in the organization or branch.
- Chat function improves communication and collaboration.
- Associate notes to extensions for quick reminders of the user’s status.
Easy Call Transfers
- Supervised Transfer – Prior to transferring a call, the attendant can brief the intended recipient with information about who is calling and the purpose of the call.
- Transfer to Voicemail – Send a caller straight to a recipient’s voicemail box.
- Direct Transfer – Instantly transfer the call to any extension.
- Public Park – Anyone in the branch or organization can retrieve the parked call.
- Branch Park – Anyone within a defined branch can retrieve the parked call.
- Private Park – Only the user who’s extension that the call is parked on can retrieve the parked call.