What is FISMA Reporting? Introduction and Overview
Q: What is FISMA reporting?
A: FISMA reporting is a process where federal contractors (i.e., businesses providing essential services and solutions to federal agencies) undertake a comprehensive process of adhering to the NIST SP 800-53 control of families, and other supporting SP documents. Additionally, FISMA reporting requires development of the following three (3) core documents: (1). System Security Plan (SSP). (2). Security Assessment Report (SAR). (3). If applicable, the Plan-of-Action and Milestones (POAM).
Introduction to NIST SP 800-53
But before you even begin to think about FISMA reporting, you’ll need to get to know NIST SP 800-53. NIST SP 800-53, titled, “Security and Privacy Controls for Information Systems and Organizations”, is an in-depth information security framework developed and published by the National Institute of Standards and Technology (NIST). It’s one of the most well-known and well-respected InfoSec frameworks in the entire world, and it’s also the core document utilized for FISMA reporting.
As such, NIST Special Publication 800-53 (Revision 5) is a comprehensive publication that seeks to develop and make available to a broad base of public and private sector organizations industry leading InfoSec and operational measures for all types of computing platforms. Such platforms generally consist of general purpose computing systems, cyber systems, cloud platforms (SaaS, IaaS and PaaS), mobile systems, industrial/process control systems (SCADA, the “GRID”), the Internet of Things (IoT) devices, and more.
The Widespread Acceptance for NIST SP 800-53
With technology now being pushed to the edge like never before, and growing cybersecurity threats creating immense challenges for organizations, a comprehensive security and privacy control framework is needed. It’s why NIST SP 800-53 is upon us, and it’s now a publication that is witnessing widespread adoption throughout North America, and even the world. It’s fair to say that both NIST SP 800-53 and ISO 27001/27002 have now become two of the most dominant security publications/frameworks in practice. NIST is largely present in North America, while ISO 27001/27002 has a strong presence in the European Union.
Simply stated; put in place the necessary FISMA policies, procedures, and processes as required by the prescriptive list of families of controls within NIST SP 800-53, and you’re on your way to becoming FISMA compliant. But there are additional steps that need to be taken, from a FISMA reporting perspective, and they include the following:
(1). Develop a System Security Plan (SSP).
(2). Document assessment findings via a Security Assessment Report (SAR)
(3). If necessary, document additional requirements within the Plan-of-Action and Milestones (POAM)
Together, these three (3) deliverables provide the necessary documentation for FISMA reporting, thereby allowing authorized personnel within federal agencies to hopefully allow an information system to operate.
While NIST SP 800-53 is the core document utilized for FISMA reporting, numerous other supporting “Special Publication” documents are often used when conducting FISMA engagements. It’s therefore essential to assess during a FISMA readiness & gap assessment, which, if any, SP documents are to be included within the scope. Other documents that generally come into play for FISMA assessments include the following:
- NIST SP 800-18: Guide for Developing Security Plans for Federal Information Systems (Revision 1, February, 2006)
- NIST SP 800-30: Guide for Conducting Risk Assessments, (Revision 1, September, 2012)
- NIST SP 800-37: Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (Revision 1, February, 2010, which includes updates as of June 5, 2014)
- SP 800-39: Managing Information Security Risk: Organization, Mission, and Information System View (March, 2011)
- NIST SP 800-53A: Security and Privacy Controls for Federal Information Systems and Organizations (Revision 4, January 22, 2015)
- NIST SP 800-53: Security and Privacy Controls for Information Systems and Organizations (Revision 5, August, 2017)
- SP 800-137: Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations (Sep 2011)
- SP 800-160: (DRAFT) Systems Security Engineering Guideline: An Integrated Approach to Building Trustworthy Resilient Systems (September, 2016)
What is FISMA Reporting? – 6 Things You Need to Know
Begin with a FISMA Readiness & Gap Assessment
Performing Remediation is Essential
One of the most time-consuming, tedious aspects of FISMA reporting is performing remediation. When it comes to remediation, it generally falls under the following categories: (1). Security/Technical remediation. (2). Documentation remediation. (3). Operational Remediation. As for security/technical remediation, there’s a laundry list of security tools/solutions that need to be in place as required by the families of controls found within NIST SP 800-53 and other supporting SP documents. For example, you’ll need to have in place File Integrity Monitoring (FIM), Two-Factor Authentication (2FA), vulnerability scanning, and much more. Such tools/solutions require additional business expenses, along with time to implement and maintain – not an easy task.
Regarding documentation remediation, please not the importance of information security policies and procedures (more on this topic just below!).
As for operational remediation, think of the following measures to perform: An annual risk assessment, undergo security awareness training for all in-scope users, test one’s business continuity /disaster recovery initiatives, and more. FLANK offers a FISMA All-in-One Compliance Toolkit containing hundreds of pages of professionally developed, well-written, and easy-to-use policies, forms, checklists, programs, and much more. Saving thousands of dollars on FISMA reporting begins with expert documentation offered by FLANK for instant download at flank.org today.
Who’s in Scope for FISMA Reporting?
Do you outsource critical services that are considered in-scope for FISMA reporting? For example, do you use a managed security services provider (MSSP), perhaps a cloud-based platform (i.e., Amazon AWS, Microsoft Azure, Google Cloud, etc.), or use a secure offsite storage provider? Answering a yes to any of the above questions, and others, requires comprehensive due-diligence measures to be in place for evaluating these very third-party entities. Call them what you want, vendors, contractors, suppliers – they all need to be evaluated in terms of information security and operational best practices. FLANK offers comprehensive third-party due-diligence and vendor management programs for instant download, an important mandate for FISMA reporting.
Documentation is a BIG Mandate for FISMA Reporting
As just discussed, FISMA policies and procedures – and other supporting documents – are a large element of FISMA reporting. Why? That’s because the vast majority of families of controls within the NIST SP 800-53 publication require documented policies and procedures for compliance. For example, do you have policies and procedures in place for access control, change control/change management, configuration management, BCDRP, patch management, and more? If not, then it’s time to begin authoring InfoSec policies in accordance with NIST SP 800-53.
Perhaps your organization in fact has InfoSec policies in place – great – but do they meet the intent, rigor, and spirit of the actual NIST SP 800-53 families of controls. If not, instead of spending time enhancing your current security policies and procedures, it’s much easier, and quicker to start from scratch with FLANK’s FISMA All-in-One Toolkit, available for instant download today
Becoming Compliant is Just the Beginning
In terms of what is FISMA reporting; remember that becoming FISMA compliant is just the beginning for regulatory compliance. You have to stay compliant with the prescriptive NIST SP 800-53 controls, and other related SP documents. What does this ultimately mean? It means monitoring your internal controls on a regular basis, making changes and enhancements as necessary. This can be a challenging and time-consuming task, primarily because businesses don’t often think of the time and costs associated with “continuous compliance”, just the initial compliance commitments. Its why FLANK offers comprehensive regulatory compliance outsourcing services and solutions for businesses in various industries/sectors.
Why FLANK for FISMA Reporting?
Because FLANK offers the following industry leading services and solutions for FISMA reporting:
- FISMA readiness & gap assessments
- FISMA reporting policies and procedures writing
- FISMA All-in-One Compliance Toolkit
- System Security Plan (SSP) writing
- Independent, third-party Security Assessment Report (SAR)
- Comprehensive regulatory compliance outsourcing
We hope you found FLANK’s what is FISMA reporting overview helpful in terms of understanding compliance with the Federal Information Security Modernization Act of 2014. If you need assistance when any aspect of FISMA, we’re ready to help.