Preparing for a FISMA Audit: 3 Crucial Steps
Originally passed in 2002, the Federal Information Security Management Act (FISMA) requires all federal agencies to implement, manage, and monitor plans to protect their most sensitive data. Since then, the National Institute of Standards and Technology (NIST) has established specific criteria by which organizations can be evaluated to determine if they are FISMA compliant. These compliance procedures involve meeting minimum requirements for information security procedures, outline specific types of systems and security protocols that agencies must match, and the process by which they should approve vendors to meet the same compliance standards. They also create a standard risk assessment process, allowing individual agencies to address concerns based on their unique security requirements.
A FISMA audit evaluates whether a federal agency, state agency or vendor working with an agency required to meet these requirements is in compliance with the standards. The FISMA guidelines are mapped out in NIST 800-53, NIST 800-171, FIPS 199, and FIPS 200. Any other NIST 800-XX documentation that applies to your industry or application may also be required reading to reach the level of compliance needed to pass a FISMA Audit. Let’s take a closer look at those steps and what you should keep in mind when preparing for your audit.
Providing Services to Federal Agencies
Separate from FISMA, the Federal Risk and Authorization Management Program (FedRAMP) was established to certify and authorize cloud service providers and other third-party vendors for this purpose, using a set of established criteria to standardize the approach to security assessment for outside vendors. FISMA and FedRAMP audits evaluate different elements, but while FISMA is required annually, reviewing reporting and current security guidelines, FedRAMP is a one-time process. That said, the number of controls is higher for FedRAMP with 326 for Medium compliance and 421 for High compliance, compared to 261 for Medium with FISMA and 343 for High with FISMA. If you are preparing for FedRAMP authorization, it is likely much of the work you are doing will carry over for annual FISMA audits.
Step 1 – Creating a Data Security Plan
Your data security plan is the core of your FISMA compliance journey. It needs to reflect the specific risks that your organization faces, the means by which a bad actor could access and influence data, and the way in which you’d respond if there was a security breach. In short, what’s your game plan if there is an issue with your data security? As simple as this might sound, many organizations lack a comprehensive plan or have not updated their plan in several years. With a surge in ransomware attacks, implementation of new privacy regulations both globally and domestically, and the increased willingness of bad actors to attack government and government serving organizations, it’s more important than ever to have an up-to-date plan in place.
What does such a plan look like? Some of the controls you should evaluate as part of your plan include:
- Access Control Definitions – Organizations should clearly outline how they protect systems and data from unauthorized access.
- Incident Response Strategy – When something happens, what is the formal process for finding, containing, and resolving the issue?
- Tracking Activity – How is user activity tracked and audited to ensure accountability throughout your information systems should any unauthorized activity be detected?
- Identification and Authentication Steps – Your organization should have systems in place to verify all identities of system users. Multi-factor authentication is required, role-based access should be implemented, and password rules set.
- Risk Assessment – Risk assessment should be conducted on a regular basis to effectively identify potential risk in your organization, assess the impact it could have, and prioritize response.
- Managing Systems – When a new system or service is implemented, it should be secured immediately and maintained throughout the lifecycle of its use. Similarly, any system flaws should be identified and reported in a timely manner to ensure a quick response.
- Physical and Personnel Security – What security steps have been implemented to account for physical access to equipment, facilities, or data storage? What about security surrounding personnel and physical or virtual access to data?
- Contingency Planning – Does your organization have a constantly updated business continuity plan in place to account for a potential disaster or cyberattack?
- Training – All personnel should be trained regularly to ensure they fully understand the potential risks faced in your organization and their role in mitigating them as much as possible. Have your teams take ownership over data security to reduce the risk of a future breach.
Step 2 – Staying Constantly Up to Date with FISMA Requirements
As the landmark law passed by the US Congress to address information security in the federal government, FISMA has been updated several times in the last nineteen years. Both to respond to new and emerging threats, and to remain consistent with other legislation that addresses things like privacy and new technologies, FISMA is ever-evolving. Especially right now, as new privacy regulations related to PII are considered in Congress (and comparable bills are passed at the state level), organizations should have someone who spearheads overseeing any changes to FISMA requirements, updating your data security plan to match when necessary.
Step 3 – Document All of Your Efforts
Document everything. The purpose of an audit is to prove that you’ve done what you said you have done. There’s nothing worse than lacking the documentation to show that a specific control has been implemented or that a cloud service provider you work with meets the necessary requirements to stay in compliance. Document all changes, upgrades, migrations, or adjustments to your data security plan to ensure you have the records on hand when needed and can show that you are in compliance with all the controls outlined by NIST guidelines.
Staying Vigilant in Your FISMA Compliance Efforts
Whether you plan to work with federal and state government agencies, are interested in improving the perceived value of your service to non-government prospects, or are already working with an organization that requires FISMA compliance, it’s important to have a plan in place for how to approach your audit.
If your data security plan is out of date or not fully implemented, Bedroc can help. We provide comprehensive security assessments and cloud security evaluations to help organizations build a strategy for success and address the unique requirements of the FISMA program. Contact us to learn more.