This guide provides detailed information about how FISMA applies to government contractors, what the requirements are, and the options contractors have available to meet compliance standards.
Overview of FISMA
The Federal Information Security Management Act (FISMA) established a framework that’s designed to keep government information and operations safe from the cyber security threats facing them. FISMA regulations apply to all Federal Agencies as well as government contractors if they operate federal systems, such as providing a cloud-based platform.
NIST 800-53 is a publication that defines these requirements and gives federal agencies and contractors security and privacy controls, along with guidance on choosing the appropriate data protection measures for their organization’s needs. This 462 page document goes into detail about the requirements and has 212 controls total. Federal agencies and contractors do not need to implement every single one of these controls for compliance, although they do need to ensure that they meet minimum security standards with the ones they select.
This unified security framework ensures that all federal agencies and contractors share a minimum level of protection for their information systems. The standard has enough flexibility that each organization can get the measures that best address the risks they face.
FISMA Compliance Requirements
Multi-tiered Risk Management
FISMA uses a three tier approach for risk management. The first level is organization, the second is the mission and the business processes, and the third is information systems. The tier at the top of this triangle represents the strategic risks impacting the agency, while those at the bottom are tactical risks.
Security Control Structure
These 18 security control families cover the primary areas that the federal agency must address in their security strategy. They are:
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Contingency Planning
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical and Environment Protection
- Program Management
- Risk Assessment
- Security Assessment and Authorization
- System and Communications Protection
- System and Information Integrity
- System and Services Acquisition
Each security control has five components: the definition of the control, additional guidance about implementation, how to go beyond the base level control through enhancements, control references and its priority and baseline allocation. By implementing these 18 control families, federal agencies and contractors gain comprehensive protection against common security risks that threaten government information systems.
Security Control Baselines
This section defines the baseline security controls that organizations need to comply with FISMA. These act as a security foundation for each agency so they all meet the same minimum standards. Federal agencies are not restricted to these baselines. They can enhance the security measures to go beyond the bare minimum if it’s necessary for their information systems and fits into their IT security budget.
Security Control Designations
The security controls in NIST 800-53 fall under three designations: common, system-specific and hybrid controls. The federal agency uses these designations to assign responsibility, understand the impact of the control, document the security measures appropriately and reduce implementation and assessment expenses.
External Service Providers
Many federal organizations work with external service providers for essential parts of their information security systems. Cloud-based services are a common example of this practice. When external service providers work with federal information or operate information systems for a federal agency, they have to meet FISMA security requirements. The federal agency working with the partner must ensure that the partner is compliant, as they are accountable for these security risks. Organizations can handle this process by including the Risk Management Framework into the contract.
In some cases, it’s not possible or feasible to establish the appropriate level of trust with an external partner. Organizations have a few options in these circumstances. They can use compensating controls to mitigate any risk in the service, take on the risk if it is acceptable within the established risk tolerance levels, take on insurance to cover the risk or opting not to work with certain providers. The drawback from not working with some providers is that they may offer system functionality that is not available with other partners.
Assurance and Trustworthiness
The information systems that federal agencies use have to be reliable, resilient and trustworthy at all times. NIST 800-53 Revision 4 defines trust as “the belief that an entity will behave in a predictable manner while performing specific functions, in specific environments, and under specified conditions or circumstances.”
This trust is established by the organization preparing information systems to operate even when failures, cyber attacks, human errors and disruptions occur. While trust is ultimately a subjective metric, it comes down to the confidence that the system integrity and availability will not be affected by commonplace threats. Security functionality and security assurance are the primary components that impact the trust level of federal information systems. Security evidence provided by individual developers and groups give the necessary assurance.
Options for Government Contractors to Comply
Do it Yourself: Meet Compliance Requirements In-House
If a government contractor has the expertise and resources available, becoming FISMA compliant can be obtained in-house. The in-house team can follow the Assessment Procedures provided by NIST.
If the contractor does not have the expertise to meet the requirements outlined in the NIST documentation, contractors have the option of outsourcing the requirements to a third-party provider, such as a Managed Security Service Provider (MSSP) who has experience with NIST 800-53. There are many qualified and experienced MSSPs in the U.S. who specialize in compliance services and monitored cyber security for government contractors who need to meet FISMA compliance requirements. An MSSP will be able to perform this assessment and perform any remediation work necessary to become compliant.
Outsource: Work with a FISMA Consultant
For many small contractors, the most effective way to meet the requirements of FISMA is to outsource the task to a Managed Security Service Provider (MSSP) that specializes in FISMA consulting, or IT Risk Management and Compliance. Remember that contractors remain ultimately responsible for ensuring that their company meets the FISMA requirements, so it is essential to choose an MSSP you are sure you can trust.
By outsourcing the FISMA Compliance work to a qualified provider, contractors should save a lot of time and money getting and staying compliant. An outsourced provider will have all of the required document templates for the Gap Analysis and the System Security Plan as well as the advanced tools required to monitor and respond to security incidents. They will also have the resources required to perform the remediation steps required to become compliant and the legal documentation to prove compliance has been reached and is being maintained should the government or Federal Agency ask.
The Gap Analysis
The first step towards compliance will require the MSSP is see how close, or how far away, the DoD contractor is from meeting the minimum requirements outlined in NIST 800-53. This process is called the Gap Analysis. Gap Analyses are designed to discover inadequate systems setups and processes that may not meet the FISMA regulations. Taking a close look at a company’s network and procedures is the first step to ensuring compliance.
The results of the gap analyses may reveal issues not limited to:
- How access to information systems is controlled
- How managers and information system administrators are trained
- How data records are stored
- How security controls and measures are implemented
- How incident response plans developed and implemented
- Without a gap analysis, it’s impossible to know what changes an organization needs to make before it meets the FISMA regulation. The professionals at an MSSP
- use their findings to create remediation plans that will correct any problems and keep our clients in line with FISMA compliance standards.
The gap analysis will either aid a contractor in performing their own remediation plan, or they may opt to have a third-party, such as an MSSP, perform the remediation for them.
The Remediation Plan
An MSSP will develop a remediation plan based on the findings outlined in the gap analysis. A remediation plan may involve small relatively inexpensive fixes to a network and/or its processes, or it may involve more extensive, from the ground up, development of compliant networks and processes that meet today’s NIST cyber security standards.
Remediation plans provide careful documentation of processes that don’t meet today’s standards. Having a well-researched plan also makes it easier for contractors to make necessary changes to their systems.
Ongoing Cyber Security Monitoring and Reporting
Once the remediation plan is complete and a Contractor’s systems and procedures are FISMA compliant, an MSSP will have the tools and processes in place to monitor, detect, and report on cyber security breaches within the Contractor’s systems in accordance with NIST 800-53 IR-Incident Response. If the Contractor is not outsourcing compliance to an MSSP, they have the option to report cyber incidences themselves, given they have tools to monitor and detect such incidents. For those Contractors, please see “What to do if a security breach occurs below.”
Legal Documentation: How to Prove Your Compliant with the DoD in Case of Audit
Once the MSSP helps clients meet FISMA/NIST SP 800-53 standards, they will provide legal documentation that proves compliance. This documentation provides legal protection from potential fines. Instead of taking risks, companies should make sure they have as much protection as possible. Otherwise, they could find themselves spending millions in court costs and fines.
What to do if a Security Breach Occurs
According to US-CERT Federal Incident Notification Guidelines, FISMA requires federal Executive Branch civilian agencies to notify and consult with US-CERT regarding information security incidents involving their information and information systems, whether managed by a federal agency, contractor, or other source. The Notification Requirement states that incidents must be reported within one hour of being identified by the agency’s top-level Computer Security Incident Response Team (CSIRT), Security Operations Center (SOC), or information technology department. In some cases, it may not be feasible to have complete and validated information for the section below (Submitting Incident Notifications) prior to reporting. Agencies should provide their best estimate at the time of notification and report updated information as it becomes available. Incidents can be submitted via the US-CERT Incident Reporting System.
SysArc’s FISMA Compliance Solution
At SysArc we work alongside your organization to determine which steps are necessary to meet NIST 800-53 guidelines in order to be FISMA compliant. Our approach follows our Robust Managed Security Services Plan (MSSP) in the utilization of our professional team, detailed processes and successful tools to meet your compliance needs.
Our Security Operations Center (SOC) team of specialists set up alerts to monitor potential threats and promptly remediate any that may be found. We pay careful attention to detail in targeting weaknesses and implementing best practices to maintain security measures in the prevention of future potential threats.
A Security Services Plan will be set in place to collect and analyze data, focusing on events that could be the most impactful to your organization. We use threat intelligence tools designed to organize tasks and execute operations in the most productive way.
The tools we use include, but are not limited to:
- Vulnerability Assessments
- Determines points of weakness where attackers may infiltrate critical systems and secured data.
- Behavioural Monitoring
- Effectively monitors cybersecurity and spots anomalies.
- Intrusion Detection
- Identifies known threats and activities at the point of entry.
- Security Information and Event Management
- Finds patterns of activity in order to detect cyberattacks and place blocks in accordance with compliance guidelines.
For more information about how SysArc can help Government Contractors comply with FISMA, please see our FISMA/NIST 800-53 Compliance Solution.