The Federal Information Security Management Act (FISMA), which was initially passed in 2002, mandates that all federal agencies implement, manage, and monitor policies to protect sensitive and confidential data.
Since then, the National Institute of Standards and Technology (NIST) has established standards by which organizations can be assessed for FISMA compliance. The FISMA regulations must be followed by all public and commercial enterprises that manage federal contracts. To assist you with fulfilling your legal obligations, we’ve created this FISMA compliance checklist.
1. Protect your data
FISMA places more emphasis on information protection than system security. Of course, system security is vital, but in most cases, the most valuable part of these systems is their data.
Look at the information that is important to your business and the federal agency you collaborate with. Work your way outward to the surrounding systems, groups, and individuals. This will provide you with a more cost-effective security approach, as well as greater FISMA compliance.
2. Appoint a person responsible for data security
Organizations are required by FISMA to designate a person in charge of information security, with ultimate responsibility falling to the Chief Information Officer. However, it’s not mandatory for the CIO to be in charge. The individual who will have final authority over information security issues, regulations, and risk management must be free from any conflicts that might result from other duties.
Having said that, avoid going far down the ladder. It won’t do to have a single, menial network or system administrator in charge of security as part of a larger job description.
3. Test the controls you have in place
Organizations must at least yearly test the controls they have in place in accordance with FISMA. Testing must be carefully planned in order to achieve the following objectives:
- Conduct an in-depth review of the controls;
- Keep a record of the evaluation and findings; and
- Create a procedure to address findings.
The process will go much more smoothly if you keep accurate records. Therefore, prepare this stage before you start the evaluation, and give someone responsibility for the repair project.
4. Accept that a 100% clean checklist is not possible
A 100% clean checklist indicates that either the organization being evaluated lied or the auditor missed something. Even the government acknowledges this as a component of FISMA, stating that agencies are required to have policies and processes in place to decrease risks to an acceptable level.
Each auditor will have a different idea of what is appropriate. When in doubt, exercise common sense and examine how best-practices frameworks handle the risk. Generally speaking, auditors are open to discussion if you can demonstrate a logical rationale behind a decision and offsetting controls in other areas.
5. Create written reports
Even though it might sound counterintuitive, reports can actually prevent misunderstandings and even save time. Remember that FISMA mandates yearly reporting for government agencies, and auditors want their reports.
Using technology that improves insight, refines reporting metrics and reduces the workload will boost the efficiency of your security program and make a good impression on the auditors. For instance, a security information and event management (SIEM) system, such as OSSIM or ArcSight, can be extremely helpful in correlating data from which metrics can be deduced and reports can be created.
The more evidence of an organization’s work is available, the more likely it is to be accredited and approved by FISMA. To guarantee that all employees, even contractors, are aware of the security risks related to their job needs, it is also in the organization’s best interest to start security awareness training.
By taking deliberate steps to secure systems from failure, unauthorized users, and attacks, organizations can make sure that confidential data stays that way.
The regulations require long-term compliance. Federal government contractors are required to make ongoing efforts to monitor their security procedures and uphold FISMA compliance, even outside of the mandated security risk assessments outlined above. Contractors must regularly stress test their systems, perform internal audits, and handle any new hazards or other changes as they occur.
It’s up to you whether you decide to hire an internal contractor or a specialized consultant to ensure compliance, but working with a consultant is one of the best ways to ensure that your security procedures are up to par if you want to reduce any liabilities.