The Federal Information Security Management Act (FISMA) now reaches into more industries than ever before. No longer is FISMA just a government concern. FISMA regulation is now being implemented in the healthcare, financial and tech industries as government agencies outsource IT and mission needs to third-party providers.
Based on an ever-growing number of National Institute of Standards and Technology (NIST) standards and best practices, it is easy to get lost in the quagmire of requirements. Gone are the days where following a few guidelines would yield a FISMA-compliant system. Standards have evolved to include requirements for insider threat, application security, supply chain risk, security assurance, mobile and cloud computing, advanced persistent threats and a barrage of privacy requirements. There’s also enterprise architecture, security automation, continuous monitoring and enhanced situational awareness in the mix. And that’s not even half of it.
Compliance can be a huge headache. We get it. But we love it. 38North’s FISMA consultants have been dealing with FISMA compliance for years. Ask them to regale you with stories of our past SSPs, ISCPs, ST&Es and ATOs, and you’ll get a taste of how much ground they’ve covered.
What is FISMA?
FISMA stands for the Federal Information Security Management Act, and is part of the US E-Government Act (Public Law 107-347) that became legislation in 2002. It requires federal agencies to develop, implement and manage a risk-based, agency-wide information security program to ensure the ongoing protection of information and critical systems. In doing so, FISMA requires federal agencies (and their third parties) to place increased emphasis on accountability, stringent policy adherence, detailed reporting, performance measurement and ongoing security assessment and improvement.
Here are some of the ways we help you with FISMA:
FISMA Gap Analysis:
Have a new FISMA requirement, but don’t know how to get started? 38North’s FISMA gap analysis educates you on the process while gauging how your information system(s) would fare against FISMA standards. We’ll also let you know how much it will cost to complete a full security authorization, identify any risks and/or challenges, and focus your attention on the most critical items to get you ready for action. This is your first step if you’re completely new to the world of FISMA.
This is the whole enchilada. We work with your IT and security personnel to get your system(s) FISMA-compliant. We focus on minimum requirements to get you through the process in the shortest time possible. The result is a complete authorization package with an executive summary detailing all critical risks matched to a recommended remediation strategy. We even provide a continuous monitoring plan, once you’ve been granted an authority to operate (ATO), to prolong the longevity of your authorization.
FISMA Continuous Monitoring:
Security authorization is no longer a paperwork exercise that’s done once every three years. The NIST Risk Management Framework requires system owners to continuously track system changes that may affect security controls, and reassess control effectiveness. Controls need to be maintained, tested and reported on to ensure your system’s security posture is within acceptable levels of risk. Sound like too much overhead and expense? 38North takes the worry out of continuous monitoring by developing an actionable continuous monitoring plan that will keep pace with the ever-changing technology and cyber security landscapes.
Control assessment. Security test and evaluation. NIST 800-53A assessment. Annual assessment. Whatever it is, we can do it. 38North consultants have conducted countless assessments in the government and commercial sectors — from simple, closed systems to complex, multinational operating environments. We don’t just scan and give you a report, either. We analyze all your controls, deploy automated testing and assess the business and security risk to your system and organization. You also receive a prioritized list of recommendations tailored to your business and mission requirements, so you can develop an immediate and meaningful action plan for remediation.
Rooted in the belief that an organization should be able maintain its own compliance efforts, 38North offers tailored FISMA training to match the unique needs and experience of each of our clients. We have half-day, one-day and two-day FISMA training courses on the NIST Risk Management Framework, security authorization and continuous monitoring. Recognizing that security awareness and training is a critical aspect of an effective security program, our courses are an ideal complement to our other FISMA services.