Navigating the labyrinth of federal compliance standards is an uphill battle even for the most experienced and savviest of government contractors or federal agencies. Case in point? FedRAMP and FISMA.
In this article, we'll guide you through what both FedRAMP and FISMA are, their similarities and differences, and an overview of their compliance requirements. We’ll also outline the many hurdles that government agencies must jump to ensure compliance. In fact, a 2020 FISMA Annual Report to Congress revealed that 30,819 cybersecurity incidents were reported in FY 2020, an 8% increase over 2019. Of these incidents, six were reported as major incidents.
What is FISMA?
FISMA was first established and enacted in 2002 as the Federal Information Security Management Act. In 2014, it was updated to the Federal Information Security Modernization Act.
While FISMA 2002 charged the Office of Management and Budget (OMB) with government-wide responsibility, FISMA 2014 makes both the OMB and the Department of Homeland Security (DHS) accountable.
FISMA requires all federal agencies to develop, document, and implement an information security program, agency-wide. The purpose of FISMA is to ensure that federal agencies protect sensitive data and information systems that support the assets and operations of the agency. This includes those provided by another federal agency, service provider, or third-party vendor.
It's noteworthy that a bipartisan bill, the Federal Information Security Modernization Act of 2022, was introduced on Jan 25, 2022, to further strengthen federal cybersecurity.
What is FedRAMP?
FedRAMP, or the Federal Risk and Authorization Management Program, was created by the OMB and enacted in 2011. FedRAMP requires all federal agencies that currently use, or plan to use the cloud, to go through the FedRAMP program to assess security. To become certified, cloud service providers (CSPs) must adhere to a strict series of information security standards and requirements, as well as be assessed by an authorized Third-Party Assessment Organization (3PAO). Additionally, they must provide continuous monitoring reports and updates to FedRAMP. It should be noted that CSPs are required to attain both FISMA and FedRAMP certifications.
FedRAMP and FISMA Similarities
While both FedRAMP and FISMA were enacted for separate audiences, they share a host of similarities.
- Both are federal security frameworks whose primary goal is to protect government data.
- Both are based on NIST 800-53.
- Both have low, moderate, and high categories of security controls in their guidelines.
-
- Awareness and Training (AT)
- Audit and Accountability (AU)
- Security Assessment & Authorization (CA)
- Configuration Management (CM)
- Contingency Planning (CP)
- Identification & Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Physical & Environmental Protection (PE)
- Planning (PL)
- Personnel Security (PS)
- Risk Assessment (RA)
- Systems & Services Acquisition (SA)
- Systems & Communications Protection (SC)
- Systems & Information Integrity (SI)
- For each of the above regulations, government agencies must obtain an ATO (authorization to operate),
FedRAMP vs FISMA Differences
The key differences between FedRAMP and FISMA are just as numerous as the similarities.
- FISMA security assessments can be performed by the government agency or any third party that conducts security assessments. This includes the agency’s senior officials. FedRAMP security assessments, however, must be performed by an approved 3rd Party Assessment Organization (3PAO).
- FISMA is focused on general IT security requirements, while FedRAMP is focused on cloud providers.
- FedRAMP's certification requirements are far more stringent than FISMA's.
- All federal agencies, contractors, and departments must comply with FISMA standards. Only agencies or cloud providers who use or plan to use a cloud solution to host federal data must comply with FedRAMP standards.
- FedRAMP deploys now new controls, but rather adds controls from the NIST's baseline control and uses more controls than FISMA.
FISMA authorizations address low, moderate, or high impact levels. FedRAMP authorizations only address low to moderate impact levels.
FedRAMP Compliance Requirements
The major high-level FedRAMP requirements to complete the FedRamp Process include:
- Complete FedRAMP documentation. This includes the FedRAMP SSP (System Security Plan).
- Have the Commercial Cloud Service Offering (CSO) assessed by a FedRAMP Third Party Assessment Organization (3PAO). It's best to find a FedRAMP Program Management Office (PMO), an approved 3rd Party Assessment Organization (3PAO), and a globally licensed PCI Qualified Security Assessor, along with an ISO Certification.
- Control implemented must be in accordance with FIPS 199 categorization.
- Remediate all findings.
- Develop a Plan of Action and Milestones (POA&M).
- Obtain Agency ATO or JAB (Joint Authorization Board) Provisional ATO (Provisional Authority to Operate), or JAB P-ATO. The JAB is the FedRAMP's primary governance and decision-making body and consists of the Chief Information Officers from the Department of Defense (DoD), the Department of Homeland Security (DHS), and the General Services Administration (GSA).
- Implement a continuous monitoring (ConMon) program that includes monthly vulnerability scans.
FISMA Compliance Requirements
The process for obtaining and maintaining FISMA compliance consists of six separate requirements.
- Information System Inventory - Organizations must maintain a list of all information systems in use, as well as identify how the integration of these systems within their network.
- Risk Categorization - Organizations must categorize information in order of risk. This ensures that sensitive information is given the highest level of security.
- System Security Plan - Organizations must maintain a security plan that is regularly maintained and updated.
- Security Controls - There are 18 categories contained in NIST SP 800-53 that can be implemented for FISMA compliance. Organizations only need to implement controls relevant to their systems.
- Risk Assessments - Organizations must assess risks at the organizational level, business-process level, and information system level.
- Accreditation and Certification - Compliant organizations are certified and subject to annual reviews to retain accreditation.
Bear in mind that these are the most basic, high-level FISMA compliance requirements. There are hundreds of additional security controls that run the gamut from small technical details to program-wide decisions that impact funding, disaster recovery plans, privacy, hiring/personnel security, data protection mechanisms, and more.
FedRAMP vs FISMA FAQs
Who Needs FISMA Compliance?
FISMA applies to all agencies in the United States federal government. Since its original inception in 2002, however, FISMA has been expanded to include state agencies administering federal programs (unemployment insurance, Medicare, student loans, Medicaid, etc). FISMA was also expanded into the private sector. Any private sector company with a contractual relationship with the federal government, whether to support a federal program, receive grant money, or provide services, must comply with FISMA.
What is the FISMA Compliance Process?
We went over the FISMA compliance requirements in the section above. But, what exactly does the compliance process entail?
- Discover all devices connected to your network, including smartphones, tablets, PCs, laptops, network devices, etc.
- Validate that all system and security patches have been applied across all your systems.
- Monitor system logs on all devices to identify threats and malicious behavior.
- Validate that all devices have been correctly configured from a security standpoint.
- Block or quarantine malicious and suspicious activity
- Monitor your systems' performance to catch failures as soon as they occur, rather than after the failure to ensure no downtime.
The most effective way to implement these processes and maintain FISMA compliance is to use automation. Public clouds like Amazon Web Services, Microsoft Azure and Google Cloud allow you to implement autonomous compliance controls using code.
Also, keep in mind that your organization must stay current with any changes to the FISMA standards and keep detailed documentation of all of your FISMA compliance efforts. Also, encrypt everything – at rest and in transit! Data encryption is a FISMA requirement.
The best way to ensure compliance and significantly reduce the work needed to maintain compliance is to outsource to a company experienced with FISMA compliance implementation and maintenance.
What is the difference between FISMA and NIST?
FISMA is the law that dictates cybersecurity standards for U.S. federal agencies. NIST (National Institute of Standards and Technology), on the other hand, is an actual government agency that publishes security standards, including those required to successfully ensure FedRAMP and/or FISMA compliance.
What is a FedRAMP equivalent?
FedRAMP equivalent, sometimes called FedRAMP Ready, refers to FedRAMP authorized cloud providers that meet the security requirements equivalent to the FedRAMP moderate baseline. This is covered in the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, paragraph D. The CSP must comply with the requirements outlined in paragraphs (c) through (g) of this clause. This covers cyber incident reporting, media preservation and protection, malicious software, cyber incident damage assessment, and access to additional information and equipment necessary for forensic analysis. A list of cloud service providers that are FedRAMP equivalent can be found on the FedRAMP marketplace.
Meeting the FedRAMP and FISMA requirements can be complex, but working with an experienced partner can help you simplify your compliance management strategy. Possibly even more importantly, an experienced compliance partner can take on the heavy lifting of maintaining compliance and free your teams to focus on tasks that deliver business value rather, than operational tasks. Cloudticity has the experience and track record. Cloudticity has done and continues to do extensive work with the VA on GovCloud and manages the only FISMA-High workload ever deployed to that environment.
Why go it alone? Contact Cloudticity for a free consultation. Let us help your organization traverse the intricate and complex security compliance certification process for FISMA and/or FedRAMP standards.