FISMA Compliance Audit and Readiness Assessment Services
The Federal Information Security Management Act (FISMA) protects government information and assets from unauthorized access, use, disclosure, or destruction. Based on three major security objectives – confidentiality, integrity, and availability – it covers both information and information systems through corresponding controls, standards, and reporting requirements.
Who Needs to be FISMA-Compliant?
Federal agencies are required to be FISMA-compliant, as are as state agencies that oversee federal programs (such as Medicare). These agencies must maintain their compliance to receive federal funding.
However, FISMA is not just for federal agencies. Cloud service providers, software vendors, contractors, and other private sector businesses that bid on federal contracts must meet the same regulations. These businesses must often prove their compliance when replying to a federal RFP.
Our FISMA Audit Services
To help you meet your federal compliance goals, 360 Advanced provides FISMA gap analyses, risk assessments, and compliance audits for both public and private sector organizations.
FISMA Gap Analysis
Our auditors can evaluate your current policies and procedures to determine which areas already meet FISMA standards. A gap analysis covers topics from access controls and encryption methods to employee training procedures and incident response plans, and results in a documented remediation plan for management.
FISMA Risk Assessments
Risk assessments, which are based on the NIST risk assessment framework, are required any time you make a change to your information system. Our auditors can help you assess the potential impact of a change; determine the likelihood of each vulnerability being exploited; and evaluate the potential impact of a breach. From there, you can determine which risks you can accept and which you can mitigate with compensating controls.
FISMA Compliance Audits
Once you’ve designed a FISMA-compliant information security plan, 360 Advanced can provide independent validation of your efforts. With third-party documentation that your policies and procedures meet the relevant requirements, formal auditing allows you to provide a higher level of assurance for your security posture.
Integrated Federal Cybersecurity and Compliance Engagements
If you’re pursuing federal contracts, you may be asked to meet multiple government standards. At 360 Advanced, we have extensive experience with FISMA, FEDRAMP, NIST, DFARS, and other federal information security frameworks (as well as non-federal-specific standards such as ISO and PCI-DSS). Our auditors can help you determine which regulations apply to your organization and the most efficient way to meet those requirements.
Preparing for an FISMA Audit
Understanding Levels, Guidelines, Controls, and Metrics.
New to federal compliance auditing requirements? Discover everything you need to know about information security requirements:
The Relationship Between NIST and FISMA
FISMA is a law. The National Institute of Standards and Technology (NIST) creates the standards and security controls that are required for FISMA compliance, as well as the risk management and risk assessment frameworks that are used in the audit process.
FISMA Guidelines
Using NIST standards and security controls, FISMA provides guidelines for:
- Creating and maintaining an information system inventory
- Classifying information and information systems according to their risk level
Maintaining a system security plan - Conducting risk assessments
- Continuously monitoring threats
- Maintaining certification and accreditation
Inventory and risk classification are the first steps; from there, you can start designing and implementing appropriate controls.
FISMA Risk Levels
Risk classification covers both Covered Defense Information (CDI) and Controlled Unclassified Information (CUI). You will need to assign a risk level to each type of data that you handle – whether in electronic or non-electronic format.
- Low-Impact information (such as contractor agreements and proprietary business information) would have only a minor impact on your ability to function if compromised.
- Moderate-Impact information (such as process manuals and financial information) would significantly impact your organization’s mission if it were compromised. A breach could cause significant damage to assets, significant financial loss, or significant harm to individuals.
- High-Impact information (such as military plans and critical infrastructure documents) would severely damage government entities or individuals – up to and including the potential loss of life – if compromised.
Once you have determined the appropriate risk levels for your information and systems, you can ensure that appropriate security measures are in place to protect against threats.
FISMA Controls
To be compliant, organizations must implement controls across following categories:
- Access controls
- Awareness and training
- Audit and accountability
- Configuration management
- Contingency planning
- Identification and authentication
- Incident response
- Maintenance
- Media protection
- Personnel security
- Physical and environmental security
- Program management
- Security assessment and authorization
- Security planning
- System and communication protection
- System and information integrity
- System and service acquisition
- Risk assessments
FISMA Metrics
Once controls are in place, FISMA requires continuous monitoring and documentation of an organization’s progress. Each organization’s head of information security must report on key metrics, such as:
- The number of hardware assets and mobile devices connected to the organization’s networks
- The common security configuration baseline for each hardware asset and mobile device
- The type of cloud services an agency uses and the vendor for each
- The number and percent of privileged and unprivileged users with network accounts
- The number of systems that encrypt federal data while at rest
- The remote access connection methods used by each type of removable media
- These metrics help agencies assess their progress toward achieving outcomes that strengthen data cybersecurity.