Four Reasons Why You Should Not Let a General IT Security Organization Perform Your FISMA Assessment


Okay, you have a contract (or subcontract or grant) that involves sensitive government information and a connection to a Federal Information System. So, you are now subject to FISMA compliance and must undergo an assessment. You’ve looked at NIST Special Pub 800-53, Revision 4 and are somewhat bewildered by the hundreds of control requirements. Maybe you don’t know how to determine the sensitivity category of this information or you are unsure of your accreditation boundary. You realize that these factors can significantly affect the costs of your compliance. So, you decide to engage an outside FISMA assessment firm. In this selection process, you should avoid organizations that are large, general IT security houses. Here’s why:

1. They tend to promote automated tools that they claim to be an “easy” solution to FISMA.

Larger, general IT security companies often push their proprietary products – usually no more than a mix of scanning and analysis tools. The problem is that NO tool can determine the presence, much less the quality, of any significant portion of the NIST control requirements. Heavy reliance on tools is indicative of a check-in-the-box approach which might save you some money in the near term at the expense of leaving you with a false sense of security, loss of the government’s trust, denial or loss of your ATO, and (worse still) unknown vulnerabilities that can lead to a breach. And nobody wants that.

2. These companies will often try to sell ongoing security services to you.

Even though you might be perfectly capable of ensuring continuing FISMA compliance in-house or possibly with an occasional outside scanning specialist. Some less scrupulous firms might even recommend an expensive remediation (in which they specialize) when a much cheaper one would be perfectly acceptable to the government.

3. In general, these organizations are “pseudo-independent auditors”.

True independence means that the assessing organization has no stake in the results of the assessment and does not offer any remediation services to you or to anyone else.

4. Unless your system is unusually large and complex, these companies will use junior security engineers.

The INFOSEC business is growing and so are IT security companies. With the scarcity of senior security engineers, these firms are hiring newbies and using your assessment to train them. This approach also maximizes profit for the assessor.

Instead use a firm that:

  • Has FISMA experience but does not offer security services beyond assessments
  • Uses CFCP credentialed, senior security engineers that can look deep into potential issues
  • Can bring in experts as needed for highly-technical analyses
  • Does not offer security-related products Will stand by you during a government audit
  • Understands your exposure to legal actions in the event of a breach
  • Understands your need for support in defending your security budget to upper management
  • Most importantly, is committed to improving your actual security posture