FISMA Compliance Checklist

What is FISMA?

The Federal Information Security Management Act (FISMA) of 2002, which was revised in 2014, aims to bolster the cybersecurity of federal information networks and systems. To achieve this objective, FISMA mandates that federal agencies formulate and incorporate information security strategies to safeguard government networks.

Why is FISMA important?

By complying with FISMA, federal agencies, and other relevant entities can reduce the likelihood of sensitive data exposure. FISMA compliance ensures that organizations adopt a risk-oriented approach to cybersecurity, boosting network security in the most vulnerable areas, thus helping to prevent detrimental data breaches.

Who Does FISMA apply to?

All entities found within the federal information network must comply with FISMA regulations, including federal agencies, service providers, as well as contractors and subcontractors throughout the supply chain. FISMA ensures that all such entities maintain a consistent level of protection across their networks.

FISMA Compliance Audit Checklist

Below is a checklist that covers the core requirements of FISMA:

Develop and maintain an information system inventory

Organizations must create and maintain an inventory of their information systems. The documentation should illustrate the network boundaries, including all endpoints and access points. This inventory is useful for designing information management plans, performing risk assessments, and prioritizing resources to protect sensitive areas. FISMA compliance involves categorizing system elements based on the level of security risk, which is determined by potential damage and the value of information. Categorizing data and prioritizing resources helps focus efforts on protecting higher-risk systems with enhanced controls.

Establish a system security plan

A system security plan (SSP) is an essential document that contains cybersecurity controls, policies, and procedures. It needs regular updating and maintenance to provide current information on system security actions. The SSP should also have a plan of action with milestones (POAM) for complying with FISMA requirements. Maintaining comprehensive documentation is necessary for demonstrating compliance with FISMA.

Adhere to the NIST guidelines

FISMA relies on the National Institute of Standards and Technology (NIST) framework to make federal systems more secure. NIST 800-53 outlines over 1,000 security controls that help to achieve this goal. These controls cover different security topics like personnel security and physical and environmental protection. NIST has other publications for securing information systems, such as NIST 800-171, that are important for defense contractors and federal supply chains.

Formulate a risk assessment plan

FISMA requires federal agencies to create a risk assessment plan to identify and fix vulnerabilities. By continuously assessing and monitoring for risks, agencies can strengthen their system’s resilience against emerging threats.

Certify new systems, software, assets, or hardware

To ensure the security of federal networks and systems, organizations should have a process for reviewing and accrediting any new or existing software, hardware, or assets. This includes scrutinizing new software and hardware for potential vulnerabilities and following secure configuration policies. Having a standardized system for reviewing and accrediting these items will reduce the number of resources required. Companies will need to keep an inventory of software, systems, and hardware, such as:

• Operating systems.
• Web browsers and applications.
• Desktop, mobile and other hardware devices
• Cloud services.
• Network devices, such as servers and routers.

NOTE: The Department of Defense (DoD) uses Security Technical Implementation Guides (STIGs), which outline secure configurations based on risk levels, to ensure system security. Any federal system or contractor network connecting to the DoD network must use STIGs.

Continuously monitor security controls and systems

Achieving FISMA compliance is just the beginning. Continuous monitoring and regular reporting are necessary to stay secure against emerging threats. This may include:

• Performing routine evaluations of security protocols across all devices and systems.
• Conducting a periodic review of emerging threats.
• Conducting assessments and continuous surveillance of any changes to the federal system in order to detect and remedy any vulnerabilities.
• Scanning the network and firewall configuration for vulnerabilities.
• Continuously monitoring system configurations.

Having the right tools in place to monitor security controls and systems is crucial to ensure FISMA compliance.

How does Lepide Help with the FISMA compliance audit?

The Lepide Data Security Platform will give you visibility into all activity involving your FISMA-covered data. It will help you to discover and classify your critical data and ensure that employees don’t have access to it unless it is absolutely necessary for them to perform their role. The Lepide platform will continuously monitor all activity relating to your FISMA-covered assets, and provide real-time notifications to your inbox or mobile device on important changes. The Lepide platform will also generate pre-defined compliance reports that can be customized to meet the FISMA requirements.