How to Ease Future Compliance – Get Ahead of the Curve NOW


So you just finished your FISMA assessment and are working the remaining POA&M items. With these items well in hand you are thinking that next year’s audit is going to be a breeze. But about two weeks before that audit, you find out that there are new control requirements and, while easier than your first audit, this year is not going to be a cake walk.

It’s a fact that security controls have to change and new requirements added to address the growing threat environment. State-of-the-practice defenses are being overcome by new hacker technology. For example, some malware can even detect when it is being sandboxed. Once all you had to do was set up a strong “perimeter defense”. Now you have to minimize your “attack surface” and prepare to deal with the almost certain penetrations.

BSC can help you prepare for next year’s assessment in several ways. First, we are one of the organizations that the National Institute of Standards and Technology (NIST) asks to review their Special Publications (SP). NIST is very thorough in soliciting inputs from both Government and Industry and submits multiple drafts of their publications for comment prior to issuing a final. For the SP 800-53, a final revision formally changes the security control requirements. FISMA, in turn, adopts these new controls and issues a date on which all FISMA ATO holders must comply. Usually, ATO holders have about a year to show compliance or non-applicability with the new requirements.

After reviewing drafts of the NIST SPs, especially SP 800-53, BSC incorporates changes into our templates for the Security Assessment Plan (SAP) and Report (SAR). Since we send the SAP well prior to our visit to your facility, you will know about these future requirements early. Either prior to the visit or while we are there, we can address your compliance with these requirements and answer questions that you might have. Of course, you would not be scored on future requirements, but we will provide an indication of the degree to which you would comply. The goal is to give you ample time to address any gaps so that the next assessment is a continued success.

The second way that we can help you stay ahead is our continuing education policy. All of our FISMA auditors are required to attend a minimum of 40 hours of training per year. Most of that training is attending webinars on current IT security topics. That keeps us up-to-speed on the latest threats as well as the latest countermeasures.

They say that some people make things happen, some watch things happen, and other wonder what happened. Don’t be that last guy! Let BSC get you ahead of the very dynamic IT security curve.