Compliance Guide Guide

How does SharkStriker help you become FISMA Compliant?


How does SharkStriker help you become FISMA Compliant?

What is FISMA?

The Federal Information Security Management (FISMA) Act was passed as a part of the Electronic Government Act in 2002.  As per the Act, all federal agencies should implement security measures and best practices for information security.

The NIST and FISMA jointly framed the guidelines with NIST being responsible for maintaining and updating the compliance with guidance issued by FISMA.

However, the government has released FISMA as part of the FedRAMP or Federal Risks and Authorization Management Program.  The information security guidelines recommended by FEMA assist organizations in improving their information security posture considerably.

FISMA requirements

The following are FISMA specific requirements: 

Information Security Inventory

According to the guidelines recommended in FISMA compliance, organizations must regularly maintain an inventory of all the systems across their IT infrastructure. It includes all processes & systems that are integrated and form a critical role in the storage, sending, receipt, processing, and transmission of information.

Risk Categorization 

It recommends organizations categorize risks to information security. It requires organizations to document all the risks that systems may face as per their severity, with measures to treat them. It will allow them to take proactive measures to treat the risks and mitigate all information security threats. 

System security plan 

FISMA necessitates that all federal agencies prepare a comprehensive plan (System Security Plan) that defines how, and which security controls will be implemented that is to be updated regularly.

Security Controls

NIST recommends all the controls for securing and maintaining the integrity, confidentiality, and availability of all information systems. NIST 800-53 provides a detailed set of controls (more than 20 security controls) for each agency. Each of the controls is to be implemented and documented by them. It is not mandatory for agencies to not implement all the security controls but to implement all the controls subjected to their system. 

Risk Assessments 

If a federal agency has made any changes in the system, then they are to conduct a three-tier risk assessment as recommended in the NIST SP 800-30 using the Risk Management Framework (RMF). If upon assessment further security controls are needed, then those controls are to be implemented. 

Assessment and authorization 

Each agency must conduct an annual security review and demonstrate proof that they have implemented, maintained, and monitored systems to be FISMA compliant. It is where all the controls are assessed to check whether they are performing as needed and serving their purpose effectively. Based on the assessment, an appointed authority will authorize the systems to operate.

Continuous Monitoring

Adhering to FISMA isn’t a one-time activity. Agencies must implement measures for continuous monitoring of the controls and perform regular risk assessments to check deviations in the implemented guidelines. Agencies should also ensure that all the third-party vendors are implementing measures to perform periodical risk assessments to proactively prevent non-compliance.

What are the challenges to FISMA?

FISMA is one of the most complex sets of guidelines that federal agencies must adhere to. Here are some of the challenges that they face in the implementation of the FISMA guidelines:

Challenge managing complexity 

The guidelines and requirements include the establishment and maintenance of system inventory, engaging in risk assessment, detection, and response measures, etc. All the recommended measures and requirements are highly complex, making it a challenge for subject agencies and parties to implement the measures.

Continuous monitoring FISMA

Since all the agencies subjected to FISMA are liable to adhere to its guidelines periodically given that it is not a one-time activity, and it is periodically subject to change. It is highly challenging for agencies to keep up with the changes in compliance which means continuously keeping up with the changes in the recommendations and updating the security controls and policies associated with remaining compliant with FISMA.

Integrating all the compliance specific information systems to the existing infrastructure 

As per FISMA, agencies are required to implement and maintain information security measures, systems, and processes recommended in the information security program. However, this can be challenging for some organizations since they have legacy systems in place that do not easily integrate with the recommended systems in the information security program. 

Data classification and handling 

FISMA has made it a requirement for organizations to take measures for the classification of information that is created, received, maintained, processed, and transmitted. Given that organizations have large information assets of different types of highly sensitive information across different levels, it is a challenge for them to implement the guidelines for information classification.

Employee training and awareness

Since human errors are one of the primary threats in cybersecurity. FISMA recommends that agencies take measures to create awareness and training regarding cyber risks and threats and best practices in the industry for cybersecurity. Since large organizations are distributed across different departments and levels, it is highly challenging for them to ensure awareness across different levels.

Third party compliance 

FISMA requires that all the vendors that are associated with agencies must also be compliant with the guidelines issued by FISMA. A challenge faced by organizations that have a lot of third-party vendors and contractors working with them is that they have limited visibility of the compliance practices specific to FISMA of these vendors.

Reputational risk 

Any form of non-compliance with FISMA may result in loss of federal funding and not be considered for future government contracts and grants severely impacting the organization’s reputation and any future business opportunities.

To whom does FISMA apply?

It applies to all the federal agencies and all the private organizations that are responsible for managing federal programs such as the Medicare program, insurance for unemployment program, and Medicaid program. 

Who is the regulating bodies for FISMA?

The subject agencies are liable to report any FISMA violation to Congress within 7 days of discovery. The regulatory body that oversees all the FISMA-specific agency efforts is the Office of Management and Budget (OMB). The primary regulatory bodies for FISMA are as follows:

  • The NIST is the body that creates all the programs to improve information security and risk management in federal agencies
  • The Department of Homeland Security administers the NIST programs for information system security    

What are the business benefits of becoming compliant to FISMA?

The following are some of the business benefits of being compliant with FISMA: 

FISMA ensures round the clock security of information

Through the implementation of some of the best practices for information security such as round the clock monitoring, ensuring that there is round-the-clock security of information of all the citizens associated with the federal agencies. It fosters increased trust between agencies and citizens.

It enables organization with risk management across different levels of the organization

Large organizations often struggle with ensuring information security with large information assets stored and managed across multiple levels. FISMA provides a comprehensive guideline to effectively manage risks across different levels.

Bridges awareness gaps related to cybersecurity

FISMA makes it mandatory for all agencies to conduct training and awareness campaigns across different departments regarding some of the most prevalent threats and the best practices to defend against those threats.

  • Increases the data security standards of agencies enabling them to secure all the citizens data more efficiently
  • It empowers agencies to secure information better and ensure its integrity, confidentiality, and availability. It provides a better way for agencies to secure all their citizens’ data garnering increased predictability and improved posture against modern-day threats.

Enables an organization with periodical assessment and monitoring 

FISMA requires organizations to periodically assess and monitor the security controls and ensure that the posture is assessed regularly, all the underlying risks are addressed and industry best practices for cybersecurity are implemented for enhanced readiness against modern-day threats.

Renders guidance on incident response and remediation measures 

It offers detailed guidelines on incident response, offering a comprehensive set of measures that organizations use to proactively secure their most sensitive assets, remediate, and recover effectively.

Ensures that all the agencies get security that is made up of industry best practices and global standards 

By implementing the security measures recommended by FISMA, organizations by default become compliant with recommendations issued by global regulatory bodies, helping them achieve increased brand trust because of adherence to global standards.

What are the best practices recommended by FISMA?

FISMA recommends the following best practices:  

  • Implement a comprehensive data security plan through systematic classification of data as per the importance & sensitivity and implement measures to monitor activity and detect threats on a round-the-clock basis.
  • FISMA periodically updates the guidelines with the latest techniques, tactics, and procedures deployed by attackers and the best practices to defend against them. Therefore, it recommends that all the agencies keep up with the updates in guidelines and requirements. 
  • It requires agencies to document all the efforts they have made to adhere to FISMA compliance.
  • All the federal agencies and all the parties that are subjected to FISMA must take measures to encrypt all their data assets, especially those that are highly sensitive.   

What are the consequences of being non-compliant with FISMA?

There are some unavoidable consequences of being non-compliant with FISMA. These consequences include:   

Losing funding from the federal government 

One of the biggest consequences of not adhering to FISMA is losing the contract, which means the agency won’t receive further funding which could impact it financially since many agencies are dependent on federal funding. It would also mean that the agency would lose all future federal bidding opportunities.

Exposure to cybersecurity risks 

By not implementing the best practices recommended to safeguard against cyber-attacks, organizations expose themselves to many cyber risks and threats like data breaches that may put all their most sensitive information assets at risk.

Loss of reputation because of non-compliance 

A consequence of non-compliance is that the organization is being publicly reprimanded by congress and exposed to data breaches which could severely impact the reputation of a brand.

How does SharkStriker help you become FISMA compliant?

SharkStriker offers an end-to-end service for compliance that assists businesses with guidance at each step, providing them the much-needed expertise to implement all the measures that are recommended by FISMA and stay compliant in a highly volatile compliance landscape.

SharkStriker Approach 

Here is the approach that SharkStriker follows to assist organizations in adhering to FISMA compliance:

Risk Assessment

The first step is the preparation of a detailed scope with the client through a detailed needs assessment of the compliance. The next step is conducting an organization-wide risk assessment through Vulnerability Assessment and Penetration Testing (VAPT) across the IT infrastructure to determine the areas that are vulnerable and exposed to risks. At this step all the risks are categorized according to their severity and a detailed report is prepared with recommendations to address all the risks.

Gap Assessment

We assess all the existing measures implemented for security against the recommended controls and measures in FISMA and we look for all the gaps in compliance. We identify the measures that are to be implemented to bridge those gaps in compliance.

Risk Treatment Plan

We prepare a highly comprehensive plan comprising the measures, controls, policies, procedures, rules, expertise, and technology that are to be implemented to treat all the risks across the IT infrastructure.


We implement the technology, expertise, resources, policies, procedures, rules, controls, and measures as per the risk treatment plan. At this step, we ensure that the risk treatment plan is effectively implemented as it was planned.   

Post Implementation Audit 

To identify the gaps in implementation, we conduct a post-implementation audit. Our goal is to ensure that the implementation is exactly as per the risk treatment plan and upon identification we implement the measures to fill those gaps.

Training and Awareness

To mitigate the gaps in human awareness, we develop training and awareness campaigns that are aimed at closing all the gaps in awareness. To measure the gaps in awareness of FISMA compliance we conduct a department-wise awareness assessment of gaps.   

Read More

Endpoint Security