Cost of Becoming Fisma Compliant


Many clients that are about to undergo a FISMA Assessment ask us what it costs to meet the requirements. There are several factors to consider when looking at the expense of becoming FISMA compliant, and it is hard to provide a dollar amount until a gap analysis is performed since we are not yet sure what the client may be missing. However, we can tell you what the big tickets items are and you can gauge for yourself if you can meet the requirements in a cost effective manner.

First of all, one of the biggest weaknesses is typically documentation, e.g., Security Plan, Contingency Plan and Incident Response Plan, to name a few. As part of our engagement, we do provide the client with templates at no additional charge for policies, procedures and plans they are missing, and other firms may do this as well. If you have the internal resources to prepare the draft plans over time that can save a significant amount of money. It is better to have the plans prepared in house anyway and as long as a timeline for completion is part of the Corrective Action Plan (CAP), you still qualify for interim compliance. We also provide templates that are often used by government agencies so you will be in good shape if you need to send any of these documents to a government client as part of a proposal or contract.

The second big ticket item is physical compliance. This includes fire suppression and monitoring. If you have halon or sprinklers in place, then you’re in good shape. If you have an old data center without any fire suppression, this could be a high cost item. If your building provides a guard and cameras at egress and ingress points, you should be able to meet the monitoring requirements with minimal expense. In addition, all access points to your facility need to be secured.

Another expense could be software tools. While you have a firewall and likely virus protection and spam filtering, you will also need to have some type of logging software for tracking access, etc., and some form of incident response tools in place. You need to be able to show that you are proactively monitoring your network. If you have this in place, you are also on your way to compliance. If not, this will add to the expense.

One other major expense is two factor authentication (TFA). You will need to eventually move to this but you can bound the system and only require it for users of privacy data and privileged users. If this is a small subset, then it will save money. The TFA requirement is relatively new, and therefore it is usually acceptable to roll it out over a longer period.

Bounding the system by segregating the privacy data and users can go a long way towards minimizing the impact of implementing controls to a subset of users rather than organization wide. I highly recommend this approach if it fits your organization.

That sums up some of the major expenses of becoming FISMA compliant. At the conclusion of our gap analysis, we always provide a formal corrective action plan with milestones that will provide a path to FISMA compliance. As long as you have a corrective action plan in place and continue to make progress, you will be meeting the requirements of Interim FISMA compliance. There is also the option of accepting risks for some of these requirements. If countermeasures are in place and the cost of additional safeguards is prohibitive, then an accepted risk is “acceptable.” However, the number of accepted risks should be minimized.

Due to the many options for meeting control requirements, no one can provide a one price meets all approach to FISMA compliance. But this should give you at least a qualitative sense of the cost. After a review, the assessor is typically available to help, and sometimes clients request that they provide support and reviews of the ongoing mitigations to cover this. The cost of the assessment and this support should be provided up front so at least the assessment portion won’t have any surprises.