FISMA compliance requirements
FISMA requirements for federal organizations and their contractors:
FISMA requirements
Inventory information systems
Prepare a system security plan
Get certified and accredited
Evaluate security controls
Ensure continuous monitoring
Inventory information systems. FISMA requires all federal agencies to create and maintain an inventory of information systems that they operate or that are under their control. This inventory must identify the interfaces between all systems within the agency’s network.
Prepare a system security plan. All federal agencies have to develop a security plan and update it regularly. These plans have to comply with NIST SP 800-18 Guide for Developing Security Plans for Federal Information Systems.
Get certified and accredited. Each federal agency has to conduct periodic security reviews to show that they can manage their systems to be FISMA compliant. This is accomplished through a four-phase process: initiation and planning, certification, accreditation, and continuous monitoring.
Assess risks. Federal organizations and their contractors have to validate their security controls and determine if any additional controls are needed to protect critical information. The resulting set of security controls establishes a level of security due diligence for the federal agency and its contractors.
Learn more about
Third-party vendor security monitoring
Categorize risks. Each federal agency has to follow FIPS 199 Standards for Security Categorization of Federal Information and Information Systems. This document provides information on how to categorize risks as well as requirements to ensure the highest level of security. Another helpful guide is NIST SP 800-60 Guide for Mapping Types of Information and Information Systems to Security Categories.
Evaluate security controls. Security controls include access controls, incident response, configuration management, and identification and authentication. All major security controls for complying with FISMA are defined in NIST SP 800-53 [PDF]. You should also explore the Federal Information Processing Standard (FIPS) 200 Minimum Security Requirements for Federal Information and Information Systems to learn more about minimum security requirements.
The NIST Risk Management Framework is an essential guide to FISMA compliance, as it offers a risk-based approach to selecting, implementing, and monitoring security controls.
Ensure continuous monitoring. All accredited systems used within a federal agency and by its contractors have to be monitored. Continuous monitoring is required to efficiently manage an organization’s security and eliminate vulnerabilities.