The federal agencies in the US were established to serve critical functions, including enforcing laws, providing services, and managing public resources. They play a vital role in ensuring public safety, health, and environmental protection. Any disruption in these functions can have a nationwide impact.

This is why the government has developed and enforced regulations to ensure that federal agencies have the requisite preparedness to keep information assets safe. One such regulation is FISMA.

Let us discover what FISMA is, why it is important, and with a closer look at its assessment types.  

What is FISMA? Why is it important?

The Federal Information Security Modernization Act, or FISMA, was passed in 2002 by the US Congress to empower federal agencies and associated contractors with the cybersecurity preparedness and information security measures to secure sensitive data.

Both NIST (National Institute of Standards and Technology (NIST) and FISMA ensure that federal agencies are proactively prepared with measures to secure their information and infrastructure.

FISMA was updated from the previous Federal Information Security Management Act to the Federal Information Security Modernization Act in 2014.

On whom does FISMA apply?

Initially, FISMA was designed to only apply to federal agencies, but as it expanded, it covers state agencies that manage federal programs like Medicaid, Medicare, and unemployment insurance. It also applies to private companies with federal agency contracts.

Does FISMA apply to contractors?

Yes, it applies to contractors that handle or process federal information or operate information systems for federal agencies.

What are its primary requirements?

The primary requirements of FISMA include:

• Conducting an annual review of security
• Maintaining an inventory of IT systems
• Implementing continuous monitoring to manage risks effectively
• Document the controls in the system and security plan
• Meet baseline security controls
• Perform system risk categorization

FISMA assessment types and their key components

FISMA assessments evaluate whether security programs of federal agencies are compliant with FISMA information security requirements. These assessments ensure organizations have a healthy security posture through the identification of weaknesses, verification of controls, and evaluation of measures to continuously manage risks.

They are categorized into three: security control assessments, risk assessments, and continuous monitoring.  

Let us look at each of the assessment types and their key components:

Security Control Assessments

These are the assessments that evaluate whether organizations have the needed security controls and whether these controls are effective or not. Security controls can be categorized into three primary categories: management controls, operational controls, and technical controls.

Management controls are the controls that are defined based on the organization’s governance structure, policies, and procedures.

Operational controls are controls that are based on awareness gaps the organization needs to address. These include controls for training awareness and preparedness.

Technical controls, as the name suggests, are system-level controls like Identity and Access Management, threat detection, and encryption.  

The primary types of security control assessments that organizations can conduct include initial assessments, ongoing assessments, annual assessments, and ad-hoc assessments.

The key functions of security control assessment are:

They:

• Test and evaluate controls.
• Assess whether the required security controls are present and implemented by an organization.
• Ensure that security controls aren’t just implemented but also designed correctly, properly implemented, and are functioning as intended.

Risk Assessments

Risk assessments are a critical component of FISMA assessments that emphasize evaluating the organization for risks.

The primary functions of risk assessment are:

They:

• Evaluate the organization for risks.
• Identify risks and their severity.
• Prioritize and treat risks.

Here is how risk assessments are carried out:

• Asset Discovery – Identify and catalog all the information systems, data, and other assets under FISMA scope.
• Risk and threat identification – Identify risks and threats to information assets and infrastructure overall.
• Impact analysis – evaluate whether risks or threats can cause a security breach or a disruption.
• Likelihood assessment – determine the likelihood that the vulnerability will be exploited.
• Risk calculation and prioritization – combine the impact and likelihood to determine the level of risk. Then rank risks based on severity and impact on the organization.

Risk assessments can be categorized into qualitative, quantitative, and hybrid assessments.

Qualitative assessments evaluate how risks will develop and impact the organization. These are carried out by high-level experts and are used primarily for identifying complex risks with a broader impact.

Quantitative assessments evaluate and determine the numerical and statistical impact of risks, offering high precision while consuming more time and resources.

Hybrid risk assessments combine both qualitative and quantitative assessment elements to determine an organization’s risk exposure.

Continuous Monitoring

Another essential type of FISMA assessment is continuous monitoring, which ensures that organizations don’t deviate from the security state and proactively evolve security for the evolving threat landscape.

The key functions of continuous monitoring:

They:

• Ensure that organizations don’t deviate from the security state
• Continuously evaluate effectiveness to detect and respond to threats
• Check if organizations regularly update security measures in line with threats
• Assess preparedness to timely identify risks and respond to threats/incidents

As per FISMA, continuous monitoring assessment must include the following elements:

• Tools that automatically collect data, analyse, and report security metrics and events
• Periodic security control assessments that check the effectiveness of security measures
• Regular vulnerability scanning among systems and networks to identify vulnerabilities and misconfigurations
• Analyze and review logs regularly for suspicious or unusual activities or detect potential threats/incidents
• Continuously monitor whether there are changes to system configs to continuously maintain a security posture
• Establish and maintain procedures, systems, and preparedness for quickly responding to incidents

Are you looking for a helping hand to improve your FISMA compliance?

SharkStriker can offer you dual expertise in cybersecurity and compliance to effectively improve your FISMA compliance through early discovery of security risks and compliance gaps and assessment-based recommendations to improve posture.  

Here is how we help federal agencies and contractors become FISMA compliant:

Comprehensive risk assessment

We help identify risks across infrastructure and the effectiveness of security controls and offer recommendations to improve risk management.

Categorization of risks across systems

We help identify, categorize, and prioritize risks using security assessments based on real-world attack techniques deployed by attackers.

Maintain baseline controls

We help agencies identify the missing baseline controls and implement all the recommended security controls.

Continuous monitoring

We help identify missing elements (like missing tools, vulnerability management, and log management systems) for continuous monitoring and offer comprehensive recommendations to establish mechanisms for continuous monitoring.   

Assistance with annual reviews of security

We provide end-to-end support throughout annual reviews and FISMA assessments, offering the guidance needed in cybersecurity and compliance.