Your Cart is Empty
Menu
-
- View NIST RMF Control Families
- Access Control (AC)
- Awareness and Training (AT)
- Audit and Accountability (AU)
- Assessment, Authorization and Monitoring (CA)
- Configuration Management (CM)
- Contingency Planning (CP)
- Identification and Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Physical and Environment Protection (PE)
- Planning (PL)
- Program Management (PM)
- Personnel Security (PS)
- PII Processing and Transparency (PT)
- Risk Assessment (RA)
- System and Services Acquisition (SA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
- Supply Chain Risk Management (SR)
- View All
- View Compliance Toolkits
- Enterprise
- About ASP
- FAQ
-
- ← Main Site
- Company
- Resources
- Blog
- Submit RFP
- Login
View NIST RMF Control Families
Add description, images, menus and links to your mega menu
A column with no settings can be used as a spacer
Link to your collections, sales and even external links
Add up to five columns
Add description, images, menus and links to your mega menu
A column with no settings can be used as a spacer
Link to your collections, sales and even external links
Add up to five columns
What is the Federal Information Security Modernization Act (FISMA)?
November 29, 2023 3 min read
What is the Federal Information Security Modernization Act (FISMA)?
In terms of FISMA “Compliance”, an independent audit, accompanied by a Security Assessment Report (SAR) is used for reporting on FISMA. Per NIST, a SAR “Provides a disciplined and structured approach for documenting the findings of the assessor and the recommendations for correcting any identified vulnerabilities in the security controls.”
But that’s not a hard and fast rule. At times, we’ve seen where federal contractors can provide only a System Security Plan (SSP) detailing their control environment against the NIST SP 800-53 controls. Other times, we’ve seen a simple statement of compliance given to federal contractors by a consulting firm. It all depends on who is asking for FISMA compliance. If it’s a federal agency, then expect to produce both an SSP and a SAR.
For federal contractors, FISMA compliance typically involves several key steps:
- Security Control Implementation: Contractors are required to implement a set of security controls outlined in NIST Special Publication 800-53, which provides detailed guidance on security controls across multiple categories, including access control, incident response, and encryption. These controls are tailored to the specific risks and needs of the contractor's systems and processes.
- Continuous Monitoring:FISMA compliance emphasizes continuous monitoring of information systems to identify and respond to security threats and vulnerabilities promptly. Contractors must establish monitoring processes, conduct security assessments, and report on the status of their security controls regularly.
- Risk Management Framework (RMF): Federal contractors must follow the RMF, a structured approach to managing security risks. This framework involves categorizing information systems, selecting appropriate security controls, implementing those controls, assessing their effectiveness, and continuously monitoring and managing security risks.
- Documentation and Reporting: Contractors are required to maintain extensive documentation of their security policies, procedures, and plans, as well as records of security incidents and compliance activities. Regular reporting to government agencies is also a critical component of FISMA compliance.
- Security Awareness and Training: Ensuring that personnel are aware of and trained in security best practices is essential. Federal contractors should provide security awareness training to employees and contractors who have access to federal information and systems.
Overall, FISMA compliance for federal contractors involves establishing a robust security framework, continuously monitoring for risks and threats, maintaining extensive documentation, and fostering a culture of security awareness. Adherence to FISMA requirements not only helps protect sensitive government data but also ensures federal contractors' eligibility for government contracts and partnerships. It's a critical component of maintaining trust and integrity in the federal contracting ecosystem.
100 + NIST 800-53 Templates Available for Download
The solution for NIST RMF documentation is the Arlington Security Portal (ASP), an online repository of world-class, industry leading security and privacy policies & procedures, programs, plans – and other highly essential documents & templates developed specifically on NIST SP 800-53, Revision 5.
From Beginning to End, Complete Project Management for FISMA
With Arlington, we can manage your entire FISMA compliance engagement from beginning to end (i.e., from the initial FISMA scoping & gap assessment to post-Authorization to Operate (ATO) activities, providing essential services for getting you to the finish line in terms of FISMA compliance. Core services and solutions offered include the following:
- Scoping & Gap (i.e., Readiness) Assessments
- Remediation Services (Policy and Procedures writing)
- Remediation Services (Technical and Operational)
- System Security Plan (SSP) Development
- Independent Security Assessment Reports (SAR)
- Continuous Monitoring (ConMon) Services
About Arlington
We are Arlington, a team of innovative, solution-oriented, highly agile, and well-versed professionals with decades of experience in working with America’s defense industry. From emerging cybersecurity regulations to helping our clients solve complex security & compliance solutions – and so much more – you can trust Arlington, the firm that’s Dedicated to Defense®. Learn more at arlingtonintel.com.