How BSC Completes Your FISMA Audit With Minimal Interference With Your Operations

fisma audit

Chances are, you and your IT staff are very busy and that you view a FISMA audit as the last thing that you need on your plate. We understand and therefore have structured our approach to FISMA and HIPAA audits with “Minimizing Interference” as one of the major pillars. How do we do this? Prepare! Prepare! Prepare!


Step 1. Provide A Quote

The first stage of our engagement with you is providing a quote for our services. And to do this, we need some basic information about your environment usually via a phone conference. By the way, even though you have not committed to an agreement, this information is already being captured, analyzed and recorded into the audit documentation. We hate doing things twice and you do too!

There are two major items that drive audit time and cost and we clarify these right up front. First, we discuss the sensitivity level of the information that you must protect. In real time, we will perform the FIPS 199 analysis to determine your sensitivity level as low, moderate, or high. There is a significant difference in the number of NIST SP 800-53 Rev 4 control requirements applicable to each level. And a common mistake is to overrate the sensitivity of information – good intentions since everyone wants to maximize protection – but overly expensive from a risk/reward perspective.

The second key item is the boundary of the system to be accredited under FISMA. Obviously, everything involved in directly processing, storing or transmitting sensitive information is within the boundary. However, some organizations include their entire network when a smaller perimeter can be drawn which limits the scope of the audit. Another “boundary-like” consideration is your contract with the Government. You might have lots of sensitive data, but only the information that is relevant to your specific Federal contract is subject


Step 2. Audit & Documentation

At this point, you’re so impressed that you decide to enter into an agreement with us. Thank you! What comes next? Actually, we perform several tasks in parallel – all at our facility.

First, we draft a document request list. It’s surprising how much of an audit can be performed by reviewing documentation – and it’s all done by us at our place. We will ask for security plans, policies, COOPs, etc. But don’t worry, we understand that many organizations don’t have the documents in the exact form that is suggested in 800-53. We just look for the material in whatever documents you can provide. We will note any gaps and inform you prior to our visit so that you can be prepared to discuss or provide alternative documentation. This approach minimizes our time at your site (and in your way). And, in keeping with our philosophy of doing things only once, we are analyzing and recording information from your documents directly into our templates that will form the bulk of your audit report.

A FISMA audit does require some face-to-face or telephone interviews with certain members of your organization – CIO, Human Resources, Data Center Management, etc. We like to identify the individuals to be interviewed, schedule them, and prepare them by submitting a list of questions/topics ahead of the visit so that they are not surprised. We also understand that everyone’s schedule changes and so our approach is robust with respect to sequencing of tasks. We can take things out of order because our templates help us to remember every item.

The final pre-visit task is to customize our standard FISMA Audit Plan and Agenda and provide it to you at least one week prior to the visit. We will standby for one or more phone conferences should you have questions or concerns.

3. We Visit You

Now we are at your door. If appropriate, we would conduct an entry briefing to your management explaining clearly the purpose of our visit and the products that we intend to have at the end. By the way, our typical visit is two days, sometimes three for a first timer. But usually we don’t tie up your staff during much of that time as we are reviewing, analyzing and recording what we find.

At the end of the visit, we give you a preliminary list of findings and a draft POA&M (that’s Government ease for Plan of Actions and Milestones) that defines what actions we recommend to close each finding. Often, many findings can be closed in real time – before we leave your facility. If desired, we can also help you draft your attestation letter to the Government. Also, we will out-brief your management if desired. You’re done! But we still have work to do.

After the visit, we return to our office, draft the Audit Report, and transmit it to you for review. You can submit written comments or we can hold one or more phone conferences and take your comments verbally. Then we finalize the POA&M with you and, at your option, work with you to mitigate any findings.