FISMA Compliance & Certification Auditors and NIST SP 800-53 Consultants
FISMA Compliance & Certification Auditors
FLANK provides FISMA compliance & certification services, NIST SP 800-53 consulting, auditing and policy and procedure writing services for organizations seeking to become compliant with the ever-growing list of NIST SP 800 publications, including the well-known NIST SP 800 53 document. But to fully understand NIST, you'll need to learn about the evolution of FISMA, known as the Federal Information Security Modernization Act.
Background of FISMA and NIST
FISMA was officially enacted in 2002 as Title III of the E-Government Act of 2002, then subsequently updated in 2014 with the Federal Information Security Modernization Act. Its main purpose was for each federal agency within the United States government to undertake extensive measures regarding the development, documentation, and implementation of a broad based set of policies, procedures, and supporting processes related to information systems. As a result of this act, FISMA requires the use of the National Institute of Standards and Technology (NIST) for developing standards, guidelines, publications and other supporting activities regarding the implementation of best practices for information security within the various federal agencies..
In today’s growing world of national security and cybersecurity threats, the federal government has started to aggressively enforce the FISMA mandates that were initially signed into law in 2002. While federal agencies have been working hard on FISMA compliance for many years, the private sector is now the focus, with contractors being required to comply with the Federal Information Security Modernization Act of 2014 (FISMA). The regulatory compliance game has forever changed, due largely to constant national security threats imposed on federal agencies, and the downstream contractors providing critical services, so now’s the time to step up your efforts as it relates to FISMA, and FLANK is here to help.
As for NIST, it is officially a "measurement standards laboratory", which is a non-regulatory agency within the United States Department of Commerce. NIST publications include the 800 series of "special publications"; which are documents of general interest to the computer security community, and together with other NIST publications (ITL Bulletins and Interagency Reports), there are currently over 300 different documents. Many of these are used by the various federal agencies for helping ensure compliance with FISMA, with the most notable being NIST SP 800-53. The complete list of NIST SP 800 documents can be found (and downloaded) at http://csrc.nist.gov/publications/PubsSPs.html
Other notable NIST SP 800 series documents that are being widely used by the private sector include the following:
- SP 800-53: Recommended Security Controls for Federal Information Systems.
- SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations
- SP 800-30: Guide for Conducting Risk Assessments.
- SP 800-37: Guide for Applying the Risk Management Framework to Federal Information Systems.
- SP 800-39: Managing Information Security Risk: Organization, Mission, and Information System View.
- SP 800-153: Guidelines for Securing Wireless Local Area Networks (WLANs).
- SP 800-144: Guidelines on Security and Privacy in Public Cloud Computing.
- SP 800-57: Recommendation for Key Management (Part I and II).
- SP 800-46: Guide to Enterprise Telework and Remote Access Security.
- SP 800-41: Guidelines on Firewalls and Firewall Policy.
As a result of FISMA, many non-governmental entities are being required to comply with FISMA for purposes of obtaining federal contracts, which in turn means adhering to the requirements within NIST SP 800-53 and any other supporting NIST SP documents as stated within a Request for Proposal (RFP) put forth by a federal agency.
FISMA Compliance & Certification Process
Phase I – Readiness & Gap Assessment
It’s important to clearly assess an organization’s FISMA needs and overall requirements, thus undertaking a brief, yet comprehensive scoping & readiness assessment, is critical. Essential activities for your FISMA readiness assessment include the following:
- Determining actual FISMA applicability to any other relevant and mandated regulations and rulings, agency requirements. Note: FISMA has broad applicability, therefore it’s important to clearly identify specific requirements within any correspondence, communication, and contractual | legal language provided to your organization.
- Gaining an in-depth understanding of the organization’s environment – the policies, processes, procedures, and personnel deemed to be in scope for FISMA compliance. More specifically, what functions are being performed and what systems are involved regarding the processing, storage and/or transmission by the applicable information systems.
- Determining the criticality and sensitivity of the information to be processed, stored, or transmitted by such systems. This process, known as security categorization, is described in FIPS Publication 199, and is commonly known as Step 1 of the Risk Management Framework for ultimately achieving FISMA compliance. Note: The security categorization standard is based on a simple and well-established concept for ultimately determining the potential adverse impact for organizational information systems. Thus, the results of the security categorization help guide and inform the selection of appropriate security for adequately protecting information systems.
- Assessing current FISMA compliance – if any – such as past FISMA reporting, supporting documentation currently in place, (i.e., information security policies and procedures), risk assessment measures, and other applicable initiatives.
The goal of the Phase I Scoping & Readiness Assessment is to clearly assess and understand your specific FISMA reporting requirements (legally and contractually), thus beginning a deeper dive into the various specifics relating to the Federal Information Security Modernization Act. In short, we’ll review every element of an organization’s security practices.
Phase II: Control Selection, Remediation, and Implementation
Following the successful completion of Phase I, its then time to select the applicable controls, remediate as necessary, implementing the mandated controls for the specific information system(s). Phase II activities consists of the following:
- Selecting the applicable security controls based on the results of the security categorization, and then applying tailoring guidance as necessary. This requires assessing all of the relevant NIST SP 800-53 family of controls.
- Remediating all areas of non-compliance in relation to the applicable security controls, which include both operational and qualitative remediation, along with technical remediation. Remediating generally consist of developing all necessary information security policies and procedures, implementation of necessary security tools and devices, and other supporting initiatives. Note: Remediation is often the most time-consuming process of FISMA compliance as organizations fail to have adequate documentation in place, along with supporting security solutions.
- Implementing the security controls and document the design, development, and implementation details for such controls. More specifically, ensuring all security controls – and the supporting policy documentation, along with security solutions – are in place.
Phase II is comprehensive indeed, and consists of Steps 2, 3, and 4 of the Risk Management Framework for ultimately achieving FISMA compliance. As stated, remediation is often the most time-consuming aspect of FISMA compliance, and its why businesses turn to FLANK because of our industry leading FISMA and NIST 800-53 policy toolkits and templates for helping complete Phase II quickly and comprehensively.
Phase III: FISMA Assessment, Reporting, and Continuous Monitoring
Phases I and II constitute a tremendous amount of work towards FISMA compliance, yet validation and continuous monitoring of controls is imperative, which results in the following activities for Phase III:
- Ensuring all security controls – and the supporting policy documentation, along with security solutions – are in place and functioning as designed.
- Documenting all findings via an official FISMA Security Assessment Report (SAR) as mandated.
- Working collaboratively with your organization in adopting and implementing a comprehensive monitoring program for continuous compliance with FISMA, ultimately ensuring the confidentiality, integrity, and availability (CIA) of one’s information systems.
Phase III consists of steps 5 and 6 of the Risk Management Framework for ultimately achieving FISMA compliance
Policies and Procedures are Critical for FISMA Compliance
One of the most demanding and time-consuming aspects of becoming FISMA compliant is documentation, no question about it. Specifically, a large number of information security and operational policies, procedures, and related processes must be in place for FISMA compliance, a task which can be incredibly daunting as most organizations fail to update – or even develop – security and operational documents necessary for meeting the rigorous expectations of the Federal Information Security Management Act (FISMA).
Fortunately, FLANK has developed industry leading FISMA and NIST 800-53 policy toolkits and templates. It’s just another reason why companies all throughout North America turn to us for today’s demanding regulatory compliance mandates – and we deliver! In need of proven FISMA compliance & certification services, NIST SP 800-53 consulting, auditing and policy and procedure writing services? Then contact us today.
We provide industry leading information security policy packets and other supporting documentation that map directly to the actual NIST requirements for FISMA, ultimately helping organizations save hundreds of operational hours and thousands of dollars on today’s demanding regulatory compliance laws and mandates. Additionally, we have highly capable personnel consisting of security auditors, cybersecurity experts, engineers – individuals with years of real-world, hands on experience with today’s emerging security issues. Visit flank.org to learn more about our products and services.
Additionally, FISMA compliance is often dependent upon implementing numerous security tools and solutions, ranging from firewalls to encryption, vulnerability scanning and much more. As a result, FLANK has an extensive alliance of vendors providing high-quality, cost-effective security solutions for helping bridge the gap with the necessary security controls. Turn to the experts today for FISMA compliance & certification services, NIST SP 800-53 consulting, auditing and policy and procedure writing services.