What Is FISMA Compliance and Who Does It Impact?

January 10, 2022

fisma compliance

Big Brother is always make sure you’re staying compliant.

We’ve talked in detail about compliance and the various ways companies are required to stay compliant. We’ve also discussed how compliance affects each industry differently. In this article, we’ll continue that trend by focusing on FISMA compliance and the impact it has on our government.

Looking for a specific topic regarding regulatory compliance? Use the links below to jump ahead:

What is FISMA compliance?

To understand the full scope of FISMA compliance, you need to first learn the history and meaning behind FISMA. The first incarnation of FISMA was known as the Federal Information Security Management Act of 2002 and is part of the Electronic Government Act.

In 2014, FISMA was rewritten and signed into law by President Obama. With the rewrite came a name change and additional provisions included to build a more robust data protection program.

Today, the latest version of FISMA is called the Federal Information Security Modernization Act of 2014. People often use the term FISMA as shorthand for the latest version of the legislation, but it is also often referred to as FISMA Reform.

FISMA compliance applies to all government agencies with no exceptions. It requires all federal agencies to ensure the security and safety of all agency information. It also applies to government contractors and any third-party vendors that are used to support agency operations.

Who oversees FISMA compliance?

FISMA takes a lot of its regulatory cues from the Federal Information Processing Standards (FIPS). FIPS was developed by the U.S. government and helps guide the overall goal of ensuring confidentiality, transparency, and availability of federally held information.

There are two regulatory bodies that work with FISMA:

The National Institute of Standards and Technology (NIST) which has the authority to create programs that bolster IT security and risk management practices.

The Department of Homeland Security which is responsible for administering the implementation of programs created by NIST in order to secure federal information system security.

The 2014 revision of FISMA also requires any agency that experiences a FISMA violation to report the incident to Congress within seven days of discovery.

Why is FISMA compliance important?

The government controls a lot of information, and letting that information fall into the wrong hands could lead to dire consequences. Because the risk of catastrophe is so high for a potential government data breach, the standard for protecting that data needs to be equally high.

The controls put in place to protect government information must match the risk and potential scale of harm that could transpire if that data were accessed, distributed, or manipulated by a malicious source.

Potential consequences for not following FISMA compliance can be huge. Any federal agency that fails to be FISMA compliant runs the risk of losing federal funding. If you’re a government contractor, you could lose your entire business or miss out on future bids for government-funded projects.

What is required for FISMA compliance?

In lieu of covering each of the specific requirements and protocols required by FISMA, we’ve pulled some of the major themes out for you and your chief compliance officer to review.

FISMA requirements

These should act as a high-level guide and serve as a jumping off point for your own research. You can find more information about each of the requirements listed above by reading on.

1. Certification and accreditation

FISMA requires any program officers, compliance officials, and agency heads to oversee annual security reviews. These reviews are used to review risk management strategies and keep potential compliance risks at a minimum. Some agencies choose to acquire a FISMA certification and accreditation (C&A) to aid in this process.

2. Information system inventory

All federal agencies and government contractors must keep an inventory of every IT system used within their organization. They’re also required to track and identify the different integrations between these systems and any other systems within the same network.

3. Risk assessment and categorization

A risk assessment is an internal review of an agency’s compliance program in which potential risks will be identified. A plan is then set in place to review, resolve, and monitor risks. NIST recommends that all risk assessments cover a review at the organizational level, the business process level, and the IT system level.

Once a risk is assessed, federal agencies must categorize each risk in order of importance. The highest level of security risk is then given first priority. FIPS outlines the range of risk levels within an organization to act as a guide for risk categorization.

Related: Learn more about the five types of compliance audits and why you might need them!

4. Security controls

NIST SP 800-53 outlines an exhaustive list of suggested security controls that can be used for FISMA compliance. FISMA doesn’t require agencies to implement every single control. Rather, they are encouraged to review the materials and only apply the controls that are relevant to their agency.

For example, the EPA, which regulates environmental protections, wouldn’t use the same controls as the FCC, which monitors broadcast, television, and radio.

You need to have security controls chosen and put in place before you move onto the next step, which is creating a system security plan.

5. System security plan

FISMA requires all federal agencies to have a security plan in place should there be a breach in compliance. This plan is expected to be regularly maintained and annually updated to provide the best security solutions. Security plans should include security policies, best practices, and a timeline for dealing with potential security risks.

How to create a FISMA compliance program

We’ve said it before in articles about this topic but we’ll say it again: technology is changing the way we work. Even government agencies, who’ve long held the stereotype of being behind when it comes to technology, are catching up fast.

That’s why it’s important to consider compliance software solutions when creating a FISMA compliance program. You’ll want a tool that can that can provide multiple capabilities and include the different stakeholders required for compliance.

Products like G2 Track have gained popularity in the last several years because they are simple solutions for compliance management. And with FISMA placing such an importance placed on managing information and vendor agreements, G2 Track offers the perfect one-stop solution for your FISMA compliance needs.

You can visit the G2 Track website to learn more about each of our solutions offerings, software integration options, and to sign up for the free forever plan. Even if G2 Track isn’t the right product for your company, you can use it as a way to explore the capabilities offered by compliance software solutions without any upfront cost.

Minimize software spend and maximize your business results now.  Get my G2  Track Account, FREE →

Use bureaucracy as your blueprint

FISMA compliance may only apply to government affiliates, but considering most compliance is handled by government agencies, there are valuable lessons you can learn from FISMA compliance.

Interested in learning more? Check out our articles covering GRC and corporate governance.

Manage your software costs with G2 Track.