An overview of FISMA
As the recent breach of the U.S. Office of Personnel Management demonstrates, the numerous agencies within the U.S. government are prime targets for cybersecurity attacks and other incidents that put sensitive data at risk. The federal government knows it has a bull’s-eye on its information systems, so Congress has enacted various pieces of legislation designed to bolster cybersecurity. One such law is the Federal Information Security Management Act of 2002 (FISMA), and its December 2014 update, Public Law 113-283.
The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for its information systems and data within to support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. According to FISMA, the term “information security” means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.
The National Institute of Standards and Technology (NIST) has a role in FISMA, and that is to develop:
- Standards to be used by Federal agencies to categorize information and information systems based on the objectives of providing appropriate levels of information security according to a range of risk levels
- Guidelines recommending the types of information and information systems to be included in each category
- Minimum information security requirements (management, operational, and technical security controls) for information and information systems in each such category
Who must comply with this law
FISMA applies to all agencies within the U.S. federal government. However, since the law was enacted in 2002, the government expanded FISMA to include state agencies administering federal programs such as unemployment insurance, student loans, Medicare, and Medicaid. The federal government further expanded the reach of FISMA into the private sector and dramatically increased implementation oversight. Now, any private sector company that has a contractual relationship with the government, whether to provide services, support a federal program, or receive grant money, must comply with FISMA. This latter expansion has caught many private sector companies off guard, not realizing they are subject to the law originally designed solely for government agencies.
The FedRAMP Program
FISMA requirements do not preclude agencies storing data or using applications in the cloud. In fact, a government “cloud first” policy encourages agencies to use cloud computing as a means to reduce costs. Any cloud service provider (CSP) that supports the information or information systems of federal agencies is subject to compliance with FISMA. To facilitate the certification and authorization process, the government established the Federal Risk and Authorization Management Program (FedRAMP). This is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
Cloud providers demonstrate they are FISMA compliant by following the NIST standards for security, undergoing an independent third party security assessment, and obtaining a Provisional Authority to Operate (P-ATO) that government agencies may consider when selecting a cloud provider. Non-government customers of the cloud service provider can benefit from this program as well, knowing that the CSP follows NIST standards for protecting information and information systems.
The top requirements of FISMA
While the full FISMA are extensive and very detailed, the top requirements can be summarized by the following:
Maintain an inventory of information systems – Every agency should have in place an inventory of information systems that are operated by or under the control of the agency. The inventory must include an identification of the interfaces between each system and all other systems or networks, including those not operated by or under the control of the agency.
Categorize information and information systems according to risk level – All information and information systems should be categorized based on the objectives of providing appropriate levels of information security according to a range of risk levels defined by FIPS 199 “Standards for Security Categorization of Federal Information and Information Systems.” The guidelines are provided by NIST SP 800-60 “Guide for Mapping Types of Information and Information Systems to Security Categories.”
Maintain a system security plan – Agencies should develop and maintain a system security plan, which is a living document that requires periodic review, modification, and plans of action and milestones for implementing security controls. The system security plan is the major input to the security certification and accreditation process for the system.
Utilize security controls – Federal information systems must meet the minimum security requirements which are defined in FIPS 200 “Minimum Security Requirements for Federal Information and Information Systems.” Organizations must meet the minimum security requirements by selecting the appropriate security controls and assurance requirements as described in NIST Special Publication 800-53, “Recommended Security Controls for Federal Information Systems.” Agencies have flexibility in applying the baseline security controls to more closely fit their mission requirements and operational environments. The controls selected or planned must be documented in the System Security Plan.
Conduct risk assessments – Each agency should conduct risk assessments to validate its security controls and to determine if any additional controls are needed to protect agency operations (including mission, functions, image, or reputation), agency assets, individuals, other organizations, or the United States. The resulting set of security controls establishes a level of “security due diligence” for the federal agency and its contractors.
Certification and accreditation – Once the system documentation and risk assessment have been completed, the system’s controls must be reviewed and certified to be functioning appropriately. Based on the results of the review, the information system is accredited. The certification and accreditation process is defined in NIST SP 800-37 “Guide for the Security Certification and Accreditation of Federal Information Systems.”
Conduct continuous monitoring – All accredited systems are required to monitor a selected set of security controls and the system documentation should be updated to reflect changes and modifications to the system. Continuous monitoring activities include configuration management and control of information system components, security impact analyses of changes to the system, ongoing assessment of security controls, and status reporting.
The importance of data encryption
FIPS 140-2 encryption is considered an appropriate control to protect data in all states (i.e. at rest, in motion) and for all types of applications (e.g. data storage, transmission between systems, remote access, wireless access, etc.). In cases where the regulated organization uses cloud services, encryption is necessary during transmission to/from a cloud service and at rest in a cloud-based application or storage facility. It’s critical, however, that the cloud provider (or any unauthorized third party) not have access to the encryption keys, as this essentially provides access to the information in clear text. Thus, an agency or its authorized third party provider must control the encryption and key management processes.