The term ‘NIST Compliance’ may prove misleading. In order to understand the meaning of NIST Compliance, we first must understand the relationship between NIST and FISMA (Federal Information Security Management Act). The term ‘FISMA Compliance’ better represents the nature of the requirement.
In this post, we describe the relationship between NIST and FISMA, we define who is responsible for complying with FISMA, and we define the basic elements of FISMA compliance.
What is NIST?
NIST (National Institute of Standards and Technology) is a non-regulatory government agency. The NIST mission: ‘To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life’. NIST produces standards and guidelines to help federal agencies meet the requirements of the Federal Information Security Management Act (FISMA).’
What is FISMA?
The US government signed FISMA into law as part of the Electronic Government Act of 2002. The FISMA defines a comprehensive framework to protect government information, operations, and assets against natural or man-made threats. The NIST provides the guidelines for FISMA compliance.
Scope of FISMA Compliance
We describe the scope of FISMA compliance in two broad categories, Affected Parties, and Elements of Compliance.
Since the original activation of the FISMA in 2002, the US Government has expanded the scope of affected parties from government agencies to include state governments and private agencies that receive federal aid in any form. The expanded coverage includes unemployment insurance, student loans, Medicare and Medicaid, and any private sector company that carries a contractual relationship with the US Federal Government.
Accordingly, we recommend all businesses that maintain or wish to maintain government contracts prepare for FISMA compliance. Additionally, all businesses can benefit from a review of FISMA compliance whether or not they have a legal requirement to do so. NIST standards, including those supporting FISMA compliance, provide many good recommendations for managing cybersecurity risk.
Elements of FISMA Compliance
NIST does not maintain a detailed checklist with specific quantifiable measures that, if met, ensures FISMA compliance. Rather, NIST provides general steps that they suggest businesses take nine steps in preparation to achieve FISMA compliance.
- Categorize the information to be protected.
- Select minimum baseline controls.
- Refine controls using a risk assessment procedure.
- Document the controls in the system security plan.
- Implement managed managed network security solutions solutions and controls inappropriate information systems.
- Assess the effectiveness of the security controls once they have been implemented.
- Determine agency-level risk to the mission or business case.
- Authorize the information system for processing.
- Monitor the security controls on a continuous basis.
Achieving FISMA Compliance
Companies use a variety of techniques to help them achieve FISMA compliance. No single best formula exists. A professional IT MSP, with relevant cybersecurity expertise and experience helping clients achieve FISMA compliance, can help you meet this objective with the least disruption to your business workflow.
Below we list a few topics and methods to consider in your quest to achieve FISMA compliance.
Inventory Assets – You need to maintain an up to date inventory of all your company’s assets that affect cybersecurity. This includes all related infrastructure such as hardware and software that interacts with protected data. An accurate inventory is necessary for performing a suitable cybersecurity risk assessment.
Define Cybersecurity Controls – You need to prepare a comprehensive list of all forms of cybersecurity controls used to limit the risk of data loss or theft. This will formulate the basis for the risk assessment to follow.
Define or Develop a Disaster Recovery Plan – A quality Disaster Recovery Plan will prove to the FISMA Compliance auditor that your company is ready to mitigate the loss of data and information due to any related incident. You can refine your DR plan as part of the risk assessment.
Align Your Business and IT Strategies – Throughout the process of preparing for FISMA compliance, you should continually check for alignment of your business and IT strategies. This will serve to help you produce a FISMA compliance plan that supports vs. distracts from your business and operational workflow.
Define Cybersecurity Roles and Responsibilities – A FISMA Compliance Audit will likely include checking that your company’s cybersecurity management system includes a comprehensive definition of cybersecurity roles and responsibilities of everyone your company relies on to manage cybersecurity. This may include, for example, employee cybersecurity training logs.
Perform Cyber Security Risk Assessment – A FISMA compliance auditor will likely review your records for evidence to support your continued cybersecurity risk assessment. Using a standard cybersecurity risk assessment process, you can identify cybersecurity vulnerabilities in your system and refine controls to reduce the risk of data loss or theft.
Perform 3rd Party FISMA Compliance Audit – A 3rd party FISMA compliance audit can help you find holes in your plan to achieve FISMA compliance.
How Do I Get Started?
CIS (Custom Information Services) has the relevant knowledge and experience to help SMBs prepare for and achieve FISMA compliance in a cost-efficient manner. CIS understands how to help you leverage the business benefits of achieving FISMA compliance in a manner that can produce a positive ROI.