Your FISMA 12 Step Program


If you work with the Federal Government, you are going to have to deal with FISMA sooner or later. The following is a guide to help ensure your success while traversing the FISMA process.

Let’s start off with the basics! The Federal Information Security Management Act, known as FISMA, requires organizations running systems that process government data to implement an information security program for the systems that support the operations and assets of the government agency. And the truth is, you should be doing all that stuff to protect your business and customers anyway. With new attention on recent security breaches, it is critical to your business to stay on top of security. Passing FISMA will help you be more secure and, as an added bonus, will help you with marketing to the Federal Government and other clients since they will see you as a safer vendor. In the event of a breach, it will also support your position that you performed due diligence to protect sensitive information.

Ok, now that you understand what it is, here’s how to get ready for and survive the FISMA process.

1. Try not to be overwhelmed.

FISMA provides a starting point for organizations to build and take responsibility for their information security programs. Get familiar with the 17 core areas contained in NIST 800-53, and don’t focus on the detailed individual controls right away. You will find that these core areas are common throughout the different audits you face every year. An independent auditor can also help walk you through the details, plus it adds credibility to be able to say to your client that your systems were reviewed by an independent third party.

2. Focus on data first.

Put your emphasis on protecting the data rather than your systems. Review the systems from a data-centric perspective and identify and safeguard the data that’s critical to your organization and your customer. This will lead to a robust security program that helps meet the FISMA controls. 3. Appoint one senior, qualified person to own data security rather than dividing it among multiple staff that happen to be available! FISMA mandates that you appoint someone to be responsible for information security. You should assign a senior, experienced person that can stand toe to toe with senior management and not be intimidated. Who do you want to find problems? The very qualified internal security guy with an assessment team hired by him or your client’s audit team? Make sure this person reports to a senior staff member such as the CIO or even the owner to put some teeth in the position.

4. Document! Document! Document!

Assessors need objective evidence and FISMA requires annual reporting for government agencies. When possible, invest in software that will save time and money to automate as many reports as you can.

5. Continuous Monitoring is Critical.

FISMA requires continuous monitoring of the NIST 800-53 Rev. 4 controls. Monitoring can be time consuming, so look at your existing tool suite and see if it can meet the requirement. If you can avoid the learning curve of a new tool that is one less thing to do but make sure the existing tool is a good fit. So identify what technologies are being used and what they are being used for and who is responsible for managing them. You need to know what IT services relate to cyber security. Also make sure you understand all of the regulatory and contractual requirements for the organization. Don’t stovepipe the audits. Know them all and maybe you can leverage several reviews. Are there any high level risk indicators from the past to be aware of, e.g., accepted risks, repeat audit findings, frequent incidents or outages, etc.? As part of this review continually monitor and do the following:

  • Reduce and monitor privileged access on a regular basis
  • Define and enforce configuration standards
  • Enforce change management processes and make sure all production goes through change management
  • Develop a FISMA calendar to ensure your annual testing, training and reporting requirements are met on time
  • Establish metrics to measure your performance

6. Test controls and maintain evidence.

Controls should be reviewed and tested at least annually or in the event of a major change. Testing should be performed to evaluate the controls and implement a process for remediation of any findings. Also keep the results as evidence for future auditors.

7. Implement a security budget.

Set up a formal budget for security and keep security as a line item in major expenditures. All major acquisitions should have a security impact analysis to minimize any risks.

8. Learn from your customer

Review the controls that your customer is stressing internally to gain insight into what they are focusing on. Search your client’s website and use Google to determine the templates and procedures they are using so you have a head start in preparing for your Authorization to Operate.

9. Keep your head when in the clouds.

Save yourself unnecessary headaches. When shopping for a cloud provider, make sure they are FedRAMP compliant. FedRAMP is essentially FISMA for cloud providers, and if they are certified you don’t have to pay to include them as part of your assessment. It also shows they are focused on security which is critical if they are housing your customer’s data.

10. Mind your vendors

Don’t add more risk and work for yourself by hiring unsafe vendors. You should establish a checklist for reviewing all vendors to ensure they have the same level of security that you have and be sure to have them sign your Rules of Behavior. Make periodic site visits to ensure compliance. If they know you might visit they will be more attentive to the controls.

11. Some findings are a good thing!

A 100% clean assessment means the assessor didn’t dig deep enough. There is always an area that can be improved. The government expects you to have some findings as long as you track and mitigate them in a timely manner. Corrected findings lead to better security.

12. Have any Questions?

Time for a Free Consultation. ( If this seems like too much, bring in a consultant familiar with FISMA to evaluate your plans and provide FISMA compliant templates. A few hours of consulting may save you a lot of hassle and cost during the initiation phase. Make your FISMA audit a catalyst for improving your security and providing more safety for your organization and the data with which you have been entrusted.