FISMA compliance is the set of processes, controls, and protocols an organization must have in place to ensure its information assets satisfy the requirements of the Federal Information Security Management Act (FISMA).
Wiz Experts Team
5 minutes read
What is FISMA compliance?
FISMA compliance is the set of processes, controls, and protocols an organization must have in place to ensure its information assets satisfy the requirements of the Federal Information Security Management Act (FISMA). It is mandatory for federal agencies across the United States and contractors that process federal information.
The regulation forms part of the wider E-Government Act of 2002, which set out to improve the way in which electronic government services in the U.S. were being managed.
The FISMA advocates an optimized approach to security and privacy management by helping agencies strike the right balance between risk mitigation and cost. It does so by requiring measures that are appropriate to the level of risk to their data and magnitude of impact from a harmful event, such as unauthorized disclosure or disruption of service.
The FISMA isn't a single set of universal standards and guidelines, but rather a multi-tiered collection of components whereby organizations need only implement categories of controls that are appropriate to the nature of the information they store and process. The most important of these components are as follows.
National Institute of Standards and Technology 800 Series (NIST)
A series of frameworks that form the basic building blocks of FISMA compliance. The foremost of these is NIST SP 800-53, which is a catalog of technical and operational measures for protecting the integrity, confidentiality, and security of governmental information. These are broken down into three tailored categories of baseline controls, the choice of which depends on the risk level of the data you need to protect.
The framework includes 20 control families, with more than 1,000 controls and control enhancements covering a comprehensive range of security responsibilities—from access control, configuration management, and incident response to risk assessment and system and services acquisition.
NIST SP 800-53 is mandatory for all federal agencies and contractors or subcontractors that have access to a federal information system.
NIST SP 800-171 is another set of security and privacy controls that shares much in common with NIST SP 800-53. It is designed to help safeguard information elsewhere in the federal data supply chain and is compulsory for private contractors of federal agencies that store or process controlled unclassified information (CUI) on their own systems. It is essentially a subset of NIST SP 800-53, with far fewer security requirements.
Federal Information Processing Standard (FIPS)
FIPS 199
FIPS 199 provides a framework for categorizing federal information based on the likely impact in the event of loss of confidentiality, integrity, or availability. The three categories are:
Category
Description
Low impact
Any event would have relatively limited ramifications
Moderate impact
An incident could have an adverse effect on operations, assets, or people
High impact
The consequences could be catastrophic, such as a major financial loss or severe harm to individuals
Where the impact level varies between the three different criteria of confidentiality, integrity, and availability then the most severe level becomes the security category for that particular information system.
FIPS 200
FIPS 200 is a framework that works by mapping the security objectives of your organization against FISMA compliance requirements. It is used in conjunction with FIPS 199 to help you select the appropriate NIST SP 800-53 baseline security controls for your information systems.
Federal Risk and Authorization Management Program (FedRAMP)
FedRAMP is an adapted version of the FISMA designed for governmental use of cloud service providers (CSPs).
The program divides requirements into two sets of controls—one for the CSP and the other for the federal agency or contractor using its services. This streamlines FISMA compliance and prevents unnecessary duplication of responsibilities.
Ensuring full compliance requires the federal agency or contractor use both a CSP with FedRAMP authorization as well as meet its own FedRAMP obligations.
Top-level FISMA requirements
Each of the components of the FISMA combine to form a series of high-level requirements as follows:
Maintain an inventory of information systems: Keep an up-to-date record of all salient information systems within your control. This should also include integrations with any third-party systems.
Categorize risk: Determine the category of risk for each of the systems in your inventory using FIPS 199 guidelines.
Implement security controls: Use FIPS 199 and FIPS 200 to select the baseline controls required to protect each of your categorized families of data then apply them to your systems.
Assess risk and refine controls: Identify potential threats to and vulnerabilities in your systems. Then assess whether the controls you've implemented are sufficient to mitigate such risks, taking remediation steps as practical and necessary.
Develop a system security plan (SSP): Draw up a document detailing security policies and controls, along with a roadmap for implementing further controls. The SSP plays an important role in your annual compliance validation and should be reviewed and updated on a regular basis.
Conduct annual security reviews: Validate compliance by conducting annual reviews with the view to ensuring controls operate correctly, meet minimum security requirements, and are commensurate with the risks to your data. Those responsible for your information systems must submit the results of their reviews to a senior-level agency official, who will either authorize use of the system or request further changes.
Continuously monitor information systems: Maintain an ongoing commitment to monitoring your information systems. This will help you assess the effectiveness of your controls over time and determine whether any changes are necessary. How regularly you need to monitor specific systems and controls will depend on how often they tend to be affected by change.
The fundamental objective of the FISMA is to help federal agencies and their contractors adopt a robust and efficient risk-based approach to information security. This, in turn, reduces the likelihood of a security event and also helps improve incident response procedures.
Voluntary compliance is also beneficial to many organizations operating in the private sector, as it can not only help them strengthen their security but also lay the foundations for attracting new business in the federal domain.
But it's also important to bear in mind that the FISMA is intended as a starting point to a strong security posture. You should therefore look to go beyond NIST baseline controls—through security enforcement that ensures you have all bases covered and not just those that are necessary for compliance.
Compliance and security are two different disciplines with different objectives. Compliance is a box-ticking exercise to ensure you meet third-party requirements whereas security is much more specific to your organization's individual needs. Nevertheless, they're still closely related practices.
This should be reflected in your security tooling—which should not only provide a wide range of capabilities to protect your information assets but also benchmark your security posture against compliance frameworks such as the FISMA.
Such tools should help you identify compliance violations across a comprehensive array of mandatory controls. They should support a risk-based approach to security, in line with the underlying principle of the FISMA. And, ideally, they should consolidate capabilities into a single centralized solution. This will make compliance and security far easier to manage and help reduce blind spots in your cyber defenses.
Finally, if you process or access federal data in the cloud, then your choice of tooling must also be FedRAMP compliant. That way, whether you're a federal agency or public-sector contractor, you can be sure of a solution that meets FISMA or federal contractual requirements.
Government-Ready CNAPP
Learn how Wiz can help government agencies accelerate their zero trust journey and support critical missions.
Application detection and response (ADR) is an approach to application security that centers on identifying and mitigating threats at the application layer.
Secure coding is the practice of developing software that is resistant to security vulnerabilities by applying security best practices, techniques, and tools early in development.
Secure SDLC (SSDLC) is a framework for enhancing software security by integrating security designs, tools, and processes across the entire development lifecycle.
DAST, or dynamic application security testing, is a testing approach that involves testing an application for different runtime vulnerabilities that come up only when the application is fully functional.
Defense in depth (DiD)—also known as layered defense—is a cybersecurity strategy that aims to safeguard data, networks, systems, and IT assets by using multiple layers of security controls.