FISMA Certification and Accreditation
FISMA Certification and Accreditation Requirements for Federal Contractors
Businesses providing essential services to federal agencies will no doubt benefit from having a proven, well-planned roadmap relating to the FISMA certification and accreditation requirements & processes. FLANK, a federal compliance firm with vast FISMA experience, has helped contractors all throughout the country in earning FISMA compliance. Additionally, FLANK also offers world-class FISMA regulatory compliance documentation for download.
As federal agencies continue to outsource various functions to the private sector, thousands of contractors throughout North America are now having to become FISMA compliant. And even though FISMA was enacted in 2002 (and then amended in 2014), the current cybersecurity drumbeat in Washington, D.C. is louder and noisier than ever before – a clear sign that federal compliance has come of age. No more can federal contractors bypass today’s demanding compliance legislation – if they do – they’ll find themselves without a contract and possible penalties to pay.
Now’s the time to learn essential steps and best practices relating to the FISMA certification and accreditation requirements and processes, compliments of FLANK, a leading provider of federal compliance solutions. If the FISMA mandate comes knocking at your door, here’s what you need to know and what you need to do:
Understand what FISMA Compliance Really Means
Becoming FISMA compliant is not a simple check-the-box assessment process. FISMA is an evolution, a cultural transformation relating to the broader topic of information security. It’s about changing the way you look, think, and act about information security, and it ultimately means big changes for your organization. It’s about going through different phases, developing various deliverables, achieving milestones, and continuing to monitor and assess your internal controls.
Here's just a few examples of the scope and requirements of FISMA certification and accreditation requirements & processes:
- Develop comprehensive, FISMA specific information security policies and procedures.
- Assess and remediate all technical and security controls as required by the NIST SP 800-53 framework (publication available for download at https://csrc.nist.gov/publications)
- Perform an in-depth risk assessment.
- Acquire and put in place numerous security tools and solutions.
- Develop all required FISMA certification and accreditation requirements & processes documentation, including the System Security Plan (SSP), Security Assessment Report (SAR), and Plan-of-Action and Milestones (POAM).
Begin with a FISMA Readiness & Gap Assessment
The evolution of FISMA begins with a readiness & gap assessment for identifying what information systems, business processes, people, and facilities are in scope, along with determining gaps in your control environment. It’s then on to technical/security/operational remediation of your internal controls, from re-configuring systems to writing policies and procedures, and more. Next, you’ll move on to developing your System Security Plan (SSP), assessing your controls after remediation, developing a Plan of Action and Milestones (POAM), and more. The evolution continues with “Continuous Monitoring”.
If you take the time to understand that the FISMA certification and accreditation requirements and processes require a deep commitment to compliance, then you’re on the right track. Remember, setting expectations and understanding what you’re getting into and the relevant expectations is often a big part of the battle with FISMA.
Benefits of a FISMA Readiness & Gap Assessment include the following: We could probably write a book and talk for hours on the true benefits of beginning your FISMA initiatives with a readiness & gap assessment, so here’s what you should now:
- Validation of people, processes, entities, and physical locations to be considered in-scope for FISMA compliance.
- Determination of what gaps exist when mapped against the NIST SP 800-53 family of controls that are used for FISMA compliance.
- Development of a clear, actionable roadmap with realistic milestones for the entire FISMA process
- An essential element of FISMA compliance that prepares your team for the road ahead.
Get to Know NIST SP 800-53
Become an Expert with NIST 800-53 is essential regarding FISMA certification and accreditation requirements & processes. Why? Because NIST 800-53 is the actual publication used for becoming FISMA compliant as it contains all the necessary security “family” of controls that organizations must comply with. Therefore, with numerous control and hundreds of accompanying control requirements, NIST 800-53 is often recognized as the world’s leading publication on information security (some would argue that the ISO 27001/27002 framework is equal also). What’s more, many of the controls are technical in nature, requiring a “deep dive” into any number of topics, such as configuration files, audit logs/audit trails, two-factor authentication, vulnerability scanning, and so much more.
FISMA Certification and Accreditation – It’s a Marathon, not a Sprint!
We’ve spent literally thousands of hours in studying the NIST SP 800-53 publication, ultimately allowing us to gain a strong understanding and true appreciation of the security controls within it, and how to help businesses with FISMA compliance. The language can be somewhat overly taxing and layered, but make no mistake, the mandates for compliance are very clear within this well-known NIST publication. It’s available for download at NIST, so get a copy today. Let’s be very clear here – the FISMA certification and accreditation requirements & processes initiatives can take some time. FISMA is a marathon, not a sprint!
Be Prepared to Perform Security/Technical Remediation
Because of the depth and complexity put forth in NIST 800-53, federal contractors will no doubt find themselves having to perform critical security/technical remediation found during the readiness & gap assessment. Here are some common examples of remediation activities:
- Re-configuring access controls for strengthening passwords complexity rules, removing shared accounts, conducting access control reviews for ensuring all de-provisioned users no longer have access, and more.
- Re-configuring servers (the underlying O/S and applications residing on them) for ensuring they are properly provisioned, hardened, secured and locked down in accordance with vendor and industry specific guidelines.
- Implementing tools for helping capture mandated baseline auditing events and creating audit files, which are to be parsed for examination, then stored.
- Implementing two-factor authentication (2FA) for privileged users and remote access.
- Implementing vulnerability scanning (at a minimum external, preferably internal also).
This list just continues, but you can clearly see the initiatives to perform relating to the FISMA certification and accreditation requirements and processes for federal contractors. You need help, and FLANK is here to assist you every step of the way.
Information Security Policies and Procedures are Critical for FISMA Compliance
Yes, they are. One of the most time-consuming and challenging requirements relating to the FISMA certification and accreditation requirements and processes is documentation. More specifically, it’s about the need for developing FISMA specific information security policies and procedures that map directly to the requirements within NIST SP 800-53. We have them, that’s right, a complete set of toolkits and policy templates that include all required policies, procedures, forms, checklists – and more – for helping ensure rapid compliance with FISMA. They’re available for immediate download today at flank.org.
Your FISMA certification and accreditation requirements and processes just became that much easier, thanks to the industry leading FISMA toolkits and policy templates from FLANK. Perhaps you have existing policies and procedures, but are they current, and can they effectively map to the actual NIST 800-53 controls?
You Will Need to Acquire Security Tools
Are you using a number of disjointed freeware and opensource tools with no real unified reporting dashboard? Do you even have in place the minimum-security toolsets required for the FISMA certification and accreditation requirements and processes? FISMA compliance is highly dependent on organizations implementing various InfoSec security best practices, which ultimately means obtaining security tools. Think File Integrity Monitoring (FIM), Intrusion Detection Systems (IDS), Two-Factor Authentication (2FA) – that’s just the beginning, with many more security tools needed.
Let’s take a deeper dive into these tools as to what they are, why they’re needed and other essential information:
- File Integrity Monitoring (FIM): A software solutions for validating the integrity of operating system and application software files using a verification method between the current file state and a known baseline.
Intrusion Detection Systems (IDS): Protecting an organization’s network often begins by protecting the perimeter with an Intrusion Detection System (IDS). Snort is one of the most well-known IDS’s available, but there are many other viable solutions.
- Audit Logs/Audit Trails/Parsing Tools: Configuring information systems to capture and record critical events is essential for FISMA compliance. More specifically, NIST SP 800-53 puts forth a prescriptive set of requirements in the Audit and Accountability control family.
- Two-Factor Authentication (2FA): Users that access networks remotely – or have privileged access – need to be invoking a two-factor authentication session for helping further ensure the safety and security of the communication session in use. There are a number of tools available, most of them relatively inexpensive and also easy-to-use. Just remember, for 2FA, you need to have two of the following three principles in use: Something you know; Something you have; Something you are. Most, if not all of the 2FA tools available, meet these requirements.
- Vulnerability Scanning: One of the most fundamentally important initiatives that any business should be performing is vulnerability scanning – both internal and external scans. NIST SP 800-53 speaks to the requirements of scanning, but doesn’t go into specific details as to the types of scans (i.e., internal and external) and the frequency of such scans. Regardless, organizations should be performing regularly schedule scans on critical networks, and on a regular basis.
There’s a multitude of companies offering vulnerability scanning services, such as the following:
FLANK can assist in identifying and procuring the best tools at the best price for your business. How? Simple, we leverage our strong relationships with many of the top compliance vendors for getting you what you need in terms of compliance tools.
Why FLANK for FISMA Compliance & Certification?
FISMA All-in-One Toolkit Available for Download
FLANK also offers world-class regulatory compliance documentation for download. FISMA compliance requires a healthy dose of documentation, no question about it, and we’ve spent hundreds of hours researching and authoring policies and procedures in accordance with NIST SP 800-53.
- NIST SP 800-53 Information Security Policies and Procedures Packet
- NIST SP 800-53 Policy Packet
- FISMA System Security Plan (SSP) Template
- FISMA Scoping & Readiness Assessment Templates
- Cyber Incident Response and Reporting Program
- Third-Party Due-Diligence & Vendor Management Program
- Risk Management & Risk Assessment Program