The Federal Information Security Management Act (FISMA) requires each government agency to “develop, document, and implement an agency-wide program” that protects data and information systems. Private partners, contractors, and IT vendors that manage these systems and assets on behalf of the federal government also must comply with FISMA.
There’s no standard FISMA compliance checklist; however, the National Institute of Standards and Technology (NIST) has developed a host of standards and guidelines for implementing the requirements. Use the following five-step checklist and guide as a starting point for ensuring FISMA compliance.
1. Adopt a risk-based management framework.
The NIST Risk Management Framework (RMF) provides a repeatable, risk-based approach for managing privacy and security risks. Although NIST emphasizes the RMF is not a FISMA compliance checklist, the framework creates a foundation for meeting core FISMA requirements.
The RMF breaks down the risk management process into seven steps:
- Prepare—start with activities that prepare you for implementation, including conducting risk assessments and identifying and prioritizing the necessary resources
- Categorize—determine the adverse impact on systems or the information, which could include assessing the sensitivity of data and potential impacts of a compromise
- Select controls—choose appropriate privacy and security controls that are tailored to your risks
- Implement controls—implement the controls and update your security plans accordingly
- Assess implementation—determine if the controls are properly implemented and how well they’re working
- Authorize the system—before placing the system into production, ensure accountability through an authorization package that includes components such as information on the system’s privacy and security posture
- Monitor—continuously monitor both the controls and the systems and conduct remediation as necessary
2. Understand the minimum security requirements.
An essential requirement of FISMA is FIPS 200, “Minimum Security Requirements for Federal Information and Information Systems.” The requirements include 17 areas that range from access controls and awareness training to contingency planning and incident response.
One of the FIPS 200 categories is identification and authentication, which requires you to identify users, processes, and devices and authenticate all those identities before you allow access to information systems.
3. Implement the NIST security controls.
To meet the minimum security requirements of FIPS 200, organizations must choose appropriate security controls that are described in NIST 800-53, “Recommended Security Controls for Federal Information Systems.” NIST published the latest version, Revision 5, in September 2020.
More than 150 controls fall into 20 categories, or families, with many of those mapping directly to the FIPS areas. For each category, NIST recommends a list of steps, with additional guidance on enhancing and enforcing the controls.
4. Audit your FISMA compliance.
Federal agencies must periodically audit their FISMA compliance, as well as report it to the Office of the Inspector General, which provides specific reporting metrics. The metrics align with the five domains, or functions, that are part of the NIST Cybersecurity Framework:
While FISMA mandates the audits only for federal agencies, each agency may require its private sector contractors and providers to prove their compliance as well.
5. Automate controls and compliance.
FISMA compliance is a complex, ongoing process and NIST recommends reducing manual tasks and automating the controls to the extent possible. Nearly half of the controls can be either fully or partially automated, according to NIST.
Regulatory compliance is a time-consuming and expensive endeavor for organizations. SailPoint streamlines your compliance with FISMA and other regulations by helping you automate your digital identity management. Learn more about SailPoint’s approach to identity security.
You might also be interested in:
Take control of your cloud platform.
Learn more about SailPoint Identity Security.