This FISMA related article is directly related to the fact that online data breaches are in the news on a regular basis. In October 2017, for example, 92 million user accounts at the genealogy testing website “MyHeritage” were hacked.
Even worse, the breach wasn’t reported until June 2018 when a security researcher found clear evidence of the incident. Even though there was no sign user information was ever used by the instigators of the hack, it’s a reminder of how vulnerable personal data can be.
The implications are even more serious when you consider government data security incidents. These include the 25.6 million accounts accessed at the US Department of Veteran Affairs in 2006 and the 191 million individual records compromised in the US Voter Database in 2015.
And, despite evidence of Russian cyber interference in the 2016 US presidential election, the full extent and effects of those efforts still aren’t completely known.
It’s not supposed to be that easy or frequent, especially after passage of the Electronic Government Act in 2002. One key part of this legislation was the Federal Information Security Management Act of 2002 (FISMA) which is designed to protect electronic government records from man-made or natural threats.
There are two government agencies responsible for providing standards and reporting guidelines as well as reviewing annual reports to ensure compliance with FISMA: the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB).
NIST is responsible for developing the standards and practices to ensure cybersecurity policies are risk based and cost effective. Annual cybersecurity reports from all federal offices and agencies are submitted to the OMB.
Although federal agencies have been required for years to produce FISMA reports, the scope of these efforts has been expanded to include all external contractors and companies doing business with the government. This includes providing goods or services, supporting a federal program, or receiving a grant.
There are six basic steps a company must take to implement a risk management framework and ensure FISMA compliance. This begins with an assessment of threat levels followed by the installation and monitoring of security controls.
1. Categorize Information Systems
First, electronic data is categorized by its sensitivity and the potential damage impact level – low, medium, or high – if it’s compromised.
This assessment helps to better standardize information technology (IT) assets and their value across different organizations. NIST Special Publication 800-60 Volumes 1 and 2 provides guidance in defining security categories for data and data system assets.
2. Choose Security Controls
Once IT resources have been categorized based on their damage impact level, the correct security controls can then be selected and implemented.
To this end, NIST Special Publication 800-53 provides guidance in choosing appropriate security controls.
As noted above, there is an important calculation to be made using both cost-effective and risk-based factors. That is, data must be kept secure, but at the same time, day-to-day agency or business activities must continue unimpeded.
3. Implement Security Controls
Effective use of security controls relies heavily on correct implementation. This is why agencies and businesses must thoroughly document the design, development, and installation of all security controls.
Implementation and subsequent use should incorporate commonly used controls whenever possible. It will be most effective to use commercially available technology across multiple systems whenever possible which can also be easily updated as necessary.
4. Evaluate Security Controls
This evaluation step ensures security controls have been implemented correctly and are producing the desired results. Agencies and companies can use NIST Special Publication 800-53A to design an effective assessment procedure.
Based on the results of this evaluation, the information produced can identify potential security control weaknesses and IT system problems. Then, appropriate resources can be requested to address these issues.
5. Create an Authorization Package
After the evaluation has identified weaknesses and potential problems, a three-part action plan must be formulated which considers the following factors: security category of the affected system, problems with existing security controls, and the impact of a potential data breach.
Then, an authorization package can be created which includes three sections: a security plan, evaluation results, and an assessment-based action plan to address identified deficiencies.
Before any action is taken, the authorization package will be evaluated based on both risk-based and cost-effective factors.
6. Monitor Security Controls
An agency or business’s mission, data security, and technology are not static but are constantly evolving and changing. This means the six steps in this process are not a one-and-done activity.
Instead, an ongoing risk management assessment feedback loop must be created and maintained. The goal is continual evaluation to improve security which continues to be cost effective.
Passing a FISMA Audit
No matter what, every government agency and federal contractor will undergo a FISMA audit at some point in time.
The first thing to do is not panic.
After all, if you’ve been protecting your data and documenting your security protocols, you’ve already covered a lot of the necessary bases.
Here are ten more keys to successfully making your way to the end of the audit process.
1. Remember FISMA’s Mission
Many of the details for FISMA implementation and reporting can seem daunting, but stay focused on the big picture. Complete assessments of data security risks. Implement and monitor controls to protect data. Finally, understand that commercial security products which can be used across multiple systems are preferable to reinventing the wheel.
2. It’s the Data
FISMA is less concerned with security systems than the data being protected. That is, don’t worry about implementing a one-size-fits-all, top-down solution. Instead, identify your most important data and work up from there in terms of the people and technology interacting with it. Then, determine the most appropriate security controls.
3. Risk is Acceptable
Remember: FISMA wants you to develop procedures which reduce risks to an acceptable level and are also cost efficient. You don’t have to guard every piece of data like it’s in Fort Knox because the level of security used shouldn’t negatively impact the day-to-day mission of your agency or company.
4. Designate an Appropriate Security Manager
FISMA demands entities designate a security manager, a person who can implement, assess, and make changes to security controls as necessary.
Your Chief Information Officer (CIO) likely doesn’t have the time or desire to deal with these issues with the requisite amount of granular attention. But you don’t want to assign these responsibilities to a low-level IT tech who doesn’t have the knowledge or authority to do what needs to be done.
5. Produce a Written Plan with a Budget
FISMA sees documentation as an indicator you’re taking compliance seriously. You can’t implement and maintain security controls in an ad hoc manner. Instead, produce a step-by-step plan with a budget to demonstrate you’re serious about ensuring adequate data security.
6. Report, Report, Report
Your level of compliance will be determined by the reports you provide. Sure, nobody likes writing reports. Then again, being proactive in documenting what you’re doing will spare you the need to try to reconstruct what you did after the fact. Instead of building a whole new reporting system, identify the reports you’re already producing to see which data might be repurposed for FISMA.
7. Monitoring is not Optional
FISMA requires ongoing monitoring of security controls including system and management changes, regularly scheduled assessments, and the resulting evaluation results. When producing these reports, see how they might also be used to benefit your organization in other ways.
8. Document Annual Controls Tests
It’s mandatory to perform annual evaluations of security controls, document the findings, and initiate a plan for any necessary actions to address problems or weaknesses. This can often trip up organizations as it always seems like an inconvenient time for these tests. You must do them, though, or face possibly serious consequences.
9. What’s Everyone Else Doing?
If you’re a contractor, what types of FISMA-related activities is the agency or office you’re working with doing? That can help you identify what government auditors will be looking for.
10. Ask for Help
When all else fails, don’t be afraid to ask for help. As noted above, you can always start with the agency you’re working with, but there are also FISMA consultants who can guide you through the audit process.
Be Proactive, Not Reactive
It’s a cliché because it’s true: People don’t plan to fail, they fail to plan.
If you never give any thought to your annual FISMA report until it’s almost due – or past due! – you’re already in trouble, and an audit on top of that will be a bigger problem.
Do the necessary prep work up front so your annual reports can be produced as painlessly as possible, and you should easily pass an audit too.
Want to learn more about compliance with business standards and practices? Check out these articles we’ve provided covering a range of relevant issues.
Focus Keyword(s): FISMA