The acronym FISMA stands for the Federal Information Security Management Act.
If you work for a government agency, or your company hopes to sign contracts to work with the government, security is critical. You must protect sensitive documents, and you must have the paperwork to prove your compliance with a variety of regulations.
Part of your job involves decoding the alphabet soup of regulations. FISMA is a critical set of rules you must know forwards and backwards.
If you don't understand all of the rules right away, you're certainly not alone. But the harder you dig and the more you learn, the easier compliance will be to achieve.
What Is FISMA?
FISMA is part of the E-Government Act, signed into law in December of 2002. As part of FISMA, government agencies must design, document, and implement programs that keep information safe and secure.
In 2014, FISMA was amended by the Federal Security Modernisation Act. Reporting requirements shifted with this legislation. Agencies have less upfront work to do to prove compliance, but if there's a breach, they have a stronger incentive to report the problem.
Originally, FISMA requirements applied only to government agencies. But in time, the scope broadened.
Now, you might need to comply with the rules if you hope to work with a government agency. For example, you might need compliance if you hope to bid on a project that is funded by these entities:
Medicare or Medicaid
The Environmental Protection Agency
The Federal Trade Commission
The National Transportation Security Board
If you don't have proof of compliance, you could be deemed ineligible to bid on a project, even if you hope to offer a competitive price.
FISMA Compliance Step by Step
It can take weeks or months to craft and implement plans that bring your company into compliance with FISMA. But follow a strategic, comprehensive plan, and you're less likely to skip foundational work that would require you to start over again.
Officials recognise four key steps all companies should take as they work toward FISMA compliance.
Step 1: Prepare
What programs are you using right now? How are programs integrated? An information system inventory is a critical part of any FISMA compliance plan, and the work happens during the preparation step.
Step 2: Categorise
With a full inventory prepared, you can create groupings by risk. What items are most likely to be targeted by hackers? What things are they likely to ignore?
Step 3: Select
What security and privacy controls do you need to protect your data? And how will you use them? Use this information to craft a security system plan that outlines what you're doing to protect systems and the data in your care.
Step 4: Certify
With system documentation and risk assessments completed, your organisation can ask for certification.
As you do your work, you'll notice a few top requirements that every company must meet. They involve:
Inventories of information systems.
Categorisation and assessments of risk.
System security planning and controls.
Certification and/or accreditation.
You'll tackle each item in the steps. And if you find you've missed one, start again to make sure you don't leave out anything important.
What About the Cloud?
As you walk through your system, you may wonder what to do with cloud applications. These functions don't sit on your server, but you're still required to keep the data they house safe.
The Federal Risk and Authorisation Management Program (FedRAMP) can help. This program was created to help organisations like yours learn how to protect cloud data. You can work with groups authorised by FedRAMP, or you can submit your company's products to get authorisation.
If you're using the cloud, or any other data-transfer process, you must consider encryption. Data must be protected as it moves from one place to another, and encryption helps ensure that hackers can't read anything while it's in transit. Officials generally suggest that all companies invest in centralised encryption management.
Why Does FISMA Compliance Matter
It's clear that companies have plenty of planning and paperwork ahead if they hope to create systems that protect data up to FISMA standards. A major drawback of compliance involves time. You'll need a large and dedicated team to get the work done.
By comparison, the benefits of compliance are enormous. Okta works with private organisations and government agencies on compliance plans for FISMA. If you're not sure where to start, or you need a little help ensuring that you're offering the right kind of protection, we can help. Contact us to get started.
While this article discusses certain legal concepts, it does not constitute legal advice. It is provided for informational purposes only. For legal advice regarding your organisation's compliance needs, please consult your organisation's legal department. Okta makes no representations, warranties, or other assurances regarding the content of this article. Information regarding Okta's contractual assurances to its customers can be found at okta.com/agreements.