FISMA Versus FedRAMP: A Brief Overview
Recently, several of our clients have inquired about upgrading their FISMA compliant applications to be FedRAMP compliant. This would enable them to offer their products in a hosted environment. Therefore, we offer this blog which will discuss at a high level the differences in both processes and the actual controls required to become FISMA vs. FedRAMP compliant. The first step is to ensure that we are all on the same page and understand what FISMA and FedRAMP really are.
I. Definitions
FISMA
FISMA stands for the Federal Information Security Management Act. Enacted in 2002, it outlines mandatory guidelines to strengthen the security of government information systems. FISMA depends on multiple documents and standards; federal agencies, departments and contractors are required to follow this framework. First and foremost, FISMA is a law that applies to government agencies.
In terms of FISMA’s applicability to the private sector, there are key documents and standards FISMA uses when considering obtaining a service outside of the federal government (referred to as the authorization process). They include:
- Federal Information Procession Standard (FIPS) 199:
Ranking information (low, medium or high) based on the impact a vulnerability or threat would have on the infrastructure. - NIST SP 800-53 Rev. 4:
Defines the baseline security controls, which are chosen from FIPS 199 and FIPS 200.
If an organization successfully undergoes a FISMA Assessment and has an approved plan in place for mitigating all findings, it receives an ATO – Approval to Operate.
FISMA includes the following steps:
- Identify the System Boundary
- Categorize the information to be protected (Low, Moderate or High)
- Select minimum baseline controls and assess the effectiveness of security controls of the information system
- Prepare a Plan of Action and Milestones and monitor the findings to closure
- Monitor the security controls on a continuous basis
FedRAMP
The Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide program started in 2011 that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP is the result of close collaboration with cybersecurity and cloud experts from the General Services Administration (GSA), National Institute of Standards and Technology (NIST), Department of Homeland Security (DHS), Department of Defense (DOD), National Security Agency (NSA), Office of Management and Budget (OMB), the Federal Chief Information Officer (CIO) Council and its working groups, as well as private industry. It’s a centralized assessment program for cloud providers that mandates a security assessment be performed by a third-party assessment organization (3PAO) to sell government cloud services to a federal agency. It requires that all federal agencies that currently use or plan to use the cloud first run through the FedRAMP program to assess security, which involves four steps. If the provider passes, they are awarded a Provisional Authority to Operate (P-ATO).
While all federal agencies are required to have an independent assessment of their control implementation, FedRAMP is the only implementation that has accredited independent assessors via the 3PAO program. A FedRAMP accreditation granted by the Joint Authorization Board (JAB) or an Agency can be leveraged by another Agency, instead of being fully assessed again. The JAB is the primary governance and decision-making for the FedRAMP Program.
Below are the FedRAMP duties and responsibilities for the JAB.
- Define FedRAMP security authorization requirements
- Approve accreditation criteria for third party assessment organizations
- Establish a priority queue for authorization package reviews
- Review FedRAMP authorization packages
- Grant joint provisional authorizations
- Ensure that provisional authorizations are reviewed and updated regularly
FedRAMP includes the following steps:
- Initiating: Completing the application process for an assessment
- Assessing: Hiring a third-party assessment organization (3PAO) to perform the independent security assessment. The security assessment process uses a standardized set of requirements in accordance with FISMA using a baseline set of NIST 800-53 controls to grant security authorizations. Monitor findings to closure.
- Authorizing: Federal agencies view security authorization packages in the FedRAMP repository and leverage the security authorization packages to grant a security authorization at their own agency sending the completed assessment to the FedRAMP JAB or other certified agency.
- Leveraging: Once an authorization is granted, ongoing assessment and authorization activities must be completed to maintain the security authorization.
II. FISMA and FedRAMP
Both FedRAMP and FISMA are separate initiatives that use the NIST 800-53 controls as the source for their control baseline. FISMA assessments are performed by the agency directly or any third party who conducts security assessments (including an individual agency’s senior officials). FedRAMP assessments, however, must be performed by a 3PAO.
They have a suite of documentation in common, but they generally have their own unique templates.
- Information System Security Policies and Procedures
- Privacy Threshold Analysis (PTA) / Privacy Impact Analysis (PIA)
- Configuration Management Plan (CM)
- Incident Response Plan (IR)
- IT Contingency Plan
- System Security Plan (SSP)
- Rules of Behavior (ROB)
- Assessment Reports
FedRAMP is a more structured framework for the assessment of cloud products and services and has a more structured authorization process, but it does not need to be performed annually and once granted only requires continuous monitoring. FISMA requires annual reviews of the information security program. All federal agencies, departments and contractors are required to comply with FISMA standards (whether they are a cloud service provider or not), whereas FedRAMP is only required for agencies or cloud service providers who currently use or plan to use a cloud solution to host federal information.
Finally, FedRAMP doesn’t deploy new controls, but it adds control enhancements from the NIST Baseline Controls, and therefore uses more controls than FISMA.
Lastly, the table below shows the differences in the number of NIST 800-53 controls between the two.
Control Family | FISMA | FedRAMP | ||||
---|---|---|---|---|---|---|
Low | Mod | High | Low | Mod | High | |
Technical Controls | ||||||
Access Control (AC) | 11 | 35 | 43 | 11 | 43 | 54 |
Audit and Accountability (AU) | 10 | 18 | 28 | 10 | 19 | 31 |
Indentification & Authentication (IA) | 15 | 22 | 24 | 15 | 27 | 31 |
System & Communications Protection (SC) | 10 | 24 | 30 | 10 | 32 | 39 |
Operational Controls | ||||||
Awareness and Training (AT) | 4 | 5 | 5 | 4 | 5 | 7 |
Configuration Management (CM) | 8 | 21 | 31 | 8 | 27 | 36 |
Contingency Planning (CP) | 6 | 22 | 35 | 6 | 24 | 35 |
Incident Response (IR) | 7 | 12 | 16 | 7 | 18 | 26 |
Maintenance {MA) | 4 | 9 | 13 | 4 | 11 | 14 |
Media Protection (MP) | 4 | 9 | 12 | 4 | 10 | 12 |
Physical & Environmental Protection (EP) | 10 | 18 | 26 | 10 | 20 | 27 |
Personnel Security (PS) | 8 | 8 | 9 | 8 | 9 | 10 |
System & Information Integrity (SI) | 6 | 21 | 27 | 6 | 28 | 39 |
Management Controls | ||||||
Security Assessment & Authorization (CA) | 7 | 10 | 12 | 8 | 15 | 16 |
Planning (PL) | 3 | 6 | 6 | 3 | 6 | 6 |
Risk Assessment (RA) | 4 | 7 | 8 | 4 | 10 | 12 |
Systems & Services Acquisition (SA) | 7 | 14 | 18 | 7 | 22 | 26 |
Total Controls | 124 | 261 | 343 | 125 | 326 | 421 |