Decoding FISMA Compliance For Government Contractors
Decoding FISMA Compliancefor Government Contractors
LISTENING TO A CONTRACTOR’S CONCERNS“Our organization would like to pursue government contracts;however, with limited staff and budget, we are concerned aboutwhat it will take to comply with the IT security standards anddocumentation that is required as a result of FISMA.”The Federal Information Security Management Act (FISMA) of 2002 requires each federal agency to develop, document, andimplement an agency-wide program to provide information security for the information and information systems that supportthe operations and assets of the agency, including those provided or managed by another agency, contractor or other source.The newly signed law, the Federal Information Security Modernization Act of 2014 (FISMA 2014), makes several key changes toFISMA that includes an emphasis on continuous monitoring and the notification of security incidents.Many organizations that would like to pursue government contracts are concerned about what it takes to comply with the ITsecurity standards and documentation that is required as a result of FISMA. In this whitepaper, we walk through the basics ofthe National Institute of Standards and Technology (NIST) compliance framework, the minimum security requirements, and howorganizations can demonstrate FISMA compliance.Decoding FISMA Compliance for Contractors1
NIST COMPLIANCE FRAMEWORKFISMA requires organizations to meet minimum security requirements by selectingthe appropriate security controls as described by NIST Special Publication(SP) 800-53 revision 4, “Security and Privacy Controls for Federal InformationSystems and Organizations.” Note that organizations must always reference themost current version of NIST SP 800-53 for the security control selection process.What is NIST?The National Institute of Standards andTechnology (NIST) is an agency of the U.S.Department of Commerce. NIST workswith industries to develop and applytechnology, measurements,and standards.According to NIST, an effective information security program should include thefollowing:1234Periodic assessments of risk, including the magnitude of harm thatcould result from the unauthorized access, use, disclosure, disruption,modification, or destruction of information and information systems thatsupport the operations and assets of the organization.Policies and procedures that are based on risk assessments thatcost-effectively reduce information security risks to an acceptable level andensure that information security is addressed throughout the life cycle ofeach organizational information system.Subordinate plans for providing adequate information security fornetworks, facilities, information systems or groups of information systems,as appropriate.Security awareness training to inform personnel (including contractorsand other users of information systems that support the operations andassets of the organization) of the information security risks associated withtheir activities and their responsibilities in complying with organizationalpolicies and procedures designed to reduce these risks.5Periodic testing and evaluation of the effectiveness of information securitypolicies, procedures, practices, and security controls to be performed witha frequency depending on risk, but no less than annually.6Remediation program including processes for planning, implementing,evaluating, and documenting corrective actions to address any deficiencies inthe information security policies, procedures, and practices of the organization.7Security incident management procedures including processes fordetection, reporting, and response.8Continuity of operations plans and procedures to maintain availabilityof information systems that support the business needs and assets of theorganization.Decoding FISMA Compliance for ContractorsGUIDES FOR IMPLEMENTATIONAs a result of the FISMA legislation, NIST established theFISMA Implementation Project in January 2003 to produceseveral key security standards and guidelines.FIPS Publication 199, Standards for SecurityCategorization of Federal Information and InformationSystemsFIPS Publication 200, Minimum Security Requirementsfor Federal Information and Federal Information SystemsNIST Special Publication 800-18 Revision 1, Guide forDeveloping Security Plans for Federal Information SystemsNIST Special Publication 800-30 Revision 1, Guide forConducting Risk AssessmentsNIST Special Publication 800-37 Revision 1, Guide forApplying the Risk Management Framework to FederalInformation Systems: A Security Life Cycle ApproachNIST Special Publication 800-39, Managing InformationSecurity Risk: Organization, Mission, and InformationSystem ViewNIST Special Publication 800-53 Revision 4,Security and Privacy Controls for Federal InformationSystems and OrganizationsNIST Special Publication 800-53A Revision 4, Guide forAssessing the Security and Privacy Controls in FederalInformation Systems and Organizations, Building EffectiveSecurity Assessment PlansNIST Special Publication 800-59, Guideline for Identifyingan Information System as a National Security SystemNIST Special Publication 800-60, Revision 1, Guide forMapping Types of Information and Information Systemsto Security CategoriesNIST Special Publication 800-128, Guide for SecurityFocused Configuration Management of InformationSystemsNIST Special Publication 800-137, Information SecurityContinuous Monitoring for Federal Information Systemsand Organizations2
SPECIFICATIONS FOR MINIMUM SECURITY REQUIREMENTSThe Federal Information Processing Standards (FIPS) Publication Series of NIST is the official series of publications relating to standardsand guidelines for FISMA. Organizations must meet the minimum security requirements detailed in FIPS Publication 200, MinimumSecurity Requirements for Federal Information and Information Systems, and must select the appropriate security controls andassurance requirements as described in NIST SP 800-53. According to these standards, minimum security requirements should includethe following:Awareness and Training1. Ensure that managers and users of organizationalinformation systems are made aware of the security risksassociated with their activities and of the applicablelaws, executive orders, directives, policies, standards,instructions, regulations or procedures related to thesecurity of organizational information systems.2. Ensure that organizational personnel are adequatelytrained to carry out their assigned information securityrelated duties and responsibilities.Audit and Accountability1. Create, protect, and retain information system auditrecords to the extent needed to enable the monitoring,analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity.2. Ensure that the actions of individual information systemusers can be uniquely traced to those users so they canbe held accountable for their actions.3. Confirm compliance with minimum auditable eventrequirements.Contingency Planning1. Establish, maintain, and effectively implement plansfor emergency response, backup operations, and postdisaster recovery for organizational information systemsto ensure the availability of critical information resourcesand continuity of operations in emergency situations.Decoding FISMA Compliance for ContractorsCertification, Accreditation,and Security Assessments1. Periodically assess the security controls in organizationalinformation systems to determine if the controls areeffective in their application.2. Develop and implement plans of action designed tocorrect deficiencies and reduce or eliminate vulnerabilities in organizational information systems; authorize theoperation of organizational information systems and anyassociated information system connections.3. Monitor information system security controls on anongoing basis to ensure the continued effectiveness ofthe controls.Configuration Management1. Establish and maintain baseline configurations andinventories of organizational information systems (including hardware, software, firmware, and documentation)throughout the respective system development lifecycles.2. Establish and enforce security configuration settings forinformation technology products employed in organizational information systems.Identification and Authentication1. Identify information system users, processes acting onbehalf of users, or devices and authenticate (or verify)the identities of those users, processes or devices,as a prerequisite to allowing access to organizationalinformation systems.3
Incident Response1. Establish an operational incident handling capabilityfor organizational information systems that includesadequate preparation, detection, analysis, containment,recovery, and user response activities.2. Track, document, and report incidents to appropriateorganizational officials and/or authorities.Media Protection1. Protect information system media, both paper anddigital.2. Limit access to information on information system mediato authorized users.3. Sanitize or destroy information system media beforedisposal or release for reuse.Physical and EnvironmentalProtection1. Limit physical access to information systems, equipment,and the respective operating environments to authorizedindividuals.2. Protect the physical plant and support infrastructure forinformation systems.3. Provide supporting utilities for information systems.4. Protect information systems against environmentalhazards.5. Provide appropriate environmental controls in facilitiescontaining information systems.System and Services Acquisition1. Allocate sufficient resources to adequately protectorganizational information systems.2. Employ system development life cycle processes thatincorporate information security considerations.3. Employ software usage and installation restrictions.4. Ensure that third-party providers employ adequatesecurity measures to protect information, applications,and/or services outsourced from the organization.Decoding FISMA Compliance for ContractorsMaintenance1. Perform periodic and timely maintenance on organizational information systems.2. Provide effective controls on the tools, techniques,mechanisms, and personnel used to conduct informationsystem maintenance.Planning1. Develop, document, periodically update, and implementsecurity plans for organizational information systemsthat describe the security controls in place or plannedfor the information systems and the rules of behavior forindividuals accessing the information systems.Personnel Security1. Ensure that individuals occupying positions of responsibility within organizations (including third-party serviceproviders) are trustworthy and meet established securitycriteria for those positions.2. Ensure that organizational information and informationsystems are protected during and after personnel actionssuch as terminations and transfers.3. Employ formal sanctions for personnel failing to complywith organizational security policies and procedures.Risk Assessment1. Periodically assess the risk to organizational operations (including mission, functions, image or reputation),organizational assets, and individuals, resulting fromthe operation of organizational information systems andthe associated processing, storage, or transmission oforganizational information.4
Did You Know?DEMONSTRATING FISMA COMPLIANCEFISMA requires periodic testing and evaluation of the security controls inan information system to ensure that the controls are effectively designed,implemented, and operating effectively. Security certification, a comprehensiveevaluation of security control effectiveness through established verificationtechniques and procedures conducted by the organization or by an independentthird party, is a required activity conducted to give those charged with governanceconfidence that the appropriate safeguards are in place. It should be noted thatany significant modifications to controls may trigger the need for re-certification.All government agencies, government contractors (including subcontractors),and organizations that exchange data directly with government systems mustbe FISMA compliant. Currently there is no standard “certification” of FISMAcompliance. Phase II of the NIST implementation project is to develop a securityassessment credentialing program that details requirements and responsibilities.For now, contractors should receive direction from their respective agency regarding the expectations for FISMA compliance and how to demonstrate it. An agencymight be very specific regarding what they require in terms of certain InformationSystem Security standards and controls or they may require contractors to adhereto all FISMA requirements.According to the Office of Managementand Budget’s 2015 Annual Report toCongress on FISMA,17agencies’ Inspector Generals (IGs)reported that their departments hadprograms in place to manage the FISMAcompliance of contractor systems.8IGs reported that their departments’programs included all required attributes.9IGs reported that their departments’programs lacked at least one requiredelement.RESOURCESBelow are links to resources used for this report. Click the URLs to open the item in your web browser. Federal Aviation Administration - Obtain Security Authorization and AccreditationFIPS PUB 200 - Minimum Security Requirements for Federal Information and Information SystemsNIST Information Technology Laboratory - Federal Information Security Management Act (FISMA) Implementation ProjectNIST Computer Security Division - Federal Information Security Management Act (FISMA) Implementation ProjectS.2521 - Federal Information Security Modernization Act of 2014Annual Report to Congress: Federal Information Security Management ActDecoding FISMA Compliance for Contractors5
ABOUT ARONSON’S TECHNOLOGY RISK SERVICES GROUPOur Technology Risk Services Group is committed to helping our clients focus on risks holistically, rather thanidentifying and measuring risk in a silo. Aronson offers a comprehensive suite of cybersecurity capabilities forcontractors including security strategy, security architecture, security risk assessment, contract security complianceassessment and remediation. We align our service delivery with industry leading frameworks such as NIST 800-37and NIST 800-53.INTERESTED IN LEARNING MORE?For more information, contact Payal Vadhani, Partner of Aronson’s Technology Risk Services Practice,at pvadhani@aronsonllc.com or 301.231.6259.AUTHORSPayal Vadhani, CISAPartnerpvadhani@aronsonllc.comMelissa Musser, CPA, CISAManagermmusser@aronsonllc.comABOUT ARONSON LLCAronson LLC provides a comprehensive platform of assurance, tax, and consulting solutions to today’s most activeindustry sectors and successful individuals. For more than 50 years, we have purposefully expanded our serviceofferings and deepened our industry specialties to better serve the needs of our clients, people, and community.From startup to exit, we help our clients maximize opportunity, minimize risk, and unlock their full potential. For moreinformation about Aronson LLC, please visit www.aronsonllc.com, or call 301.231.6200.Decoding FISMA Compliance for Contractors6
NIST Special Publication 800-59, Guideline for Identifying an Information System as a National Security System NIST Special Publication 800-60, Revision 1, Guide for Mapping Types of Information and Information Systems to Security Categories NIST Special Publication 800-128, Guide for Security-Focused Configuration Management of Information Systems
Bruksanvisning för bilstereo . Bruksanvisning for bilstereo . Instrukcja obsługi samochodowego odtwarzacza stereo . Operating Instructions for Car Stereo . 610-104 . SV . Bruksanvisning i original
FISMA recommends guidance issued by NIST, such as FIPS 199, FIPS 200, NIST SP 800-53A, NIST SP 800-53 Rev 4, and so forth. The control selection, implementation, and testing are where IT professionals responsible for FISMA compliance perform
10 tips och tricks för att lyckas med ert sap-projekt 20 SAPSANYTT 2/2015 De flesta projektledare känner säkert till Cobb’s paradox. Martin Cobb verkade som CIO för sekretariatet för Treasury Board of Canada 1995 då han ställde frågan
service i Norge och Finland drivs inom ramen för ett enskilt företag (NRK. 1 och Yleisradio), fin ns det i Sverige tre: Ett för tv (Sveriges Television , SVT ), ett för radio (Sveriges Radio , SR ) och ett för utbildnings program (Sveriges Utbildningsradio, UR, vilket till följd av sin begränsade storlek inte återfinns bland de 25 största
Hotell För hotell anges de tre klasserna A/B, C och D. Det betyder att den "normala" standarden C är acceptabel men att motiven för en högre standard är starka. Ljudklass C motsvarar de tidigare normkraven för hotell, ljudklass A/B motsvarar kraven för moderna hotell med hög standard och ljudklass D kan användas vid
LÄS NOGGRANT FÖLJANDE VILLKOR FÖR APPLE DEVELOPER PROGRAM LICENCE . Apple Developer Program License Agreement Syfte Du vill använda Apple-mjukvara (enligt definitionen nedan) för att utveckla en eller flera Applikationer (enligt definitionen nedan) för Apple-märkta produkter. . Applikationer som utvecklas för iOS-produkter, Apple .
Controls Audit Manual, and other relevant security laws and regulations. We evaluated GT’s work and performed additional FISMA testing for this review. To assess whether SSA met FISMA requirements as defined by DHS, we used DHS guidance. 7 to test the compliance and effectiveness
Coding and Decoding Coding and Decoding is an important part of Logical reasoning section in all aptitude related examinations. Coding is a process used to encrypt a word, a number in a particular code or pattern based on some set of rules. Decoding is a process to decrypt the pattern into its original form from the given codes.
