DEPARTMENT OF DEFENSE

FISMA stands for the Federal Information Security Management Act (FISMA), which the United States Congress passed in 2002: it requires federal agencies to implement information security plans to protect sensitive data.

FISMA and the National Institute of Standards and Technology (NIST) set guidance for data security compliance. NIST is responsible for maintaining and updating the compliance documents as directed by FISMA. More specifically, NIST:

• Sets minimum requirements for information security plans and procedures.
• Recommends types of security (systems, software, etc.) that agencies must implement and approve vendors.
• Standardizes risk assessment process and sets varying standards of information security based on agency risk assessments. 
• Each agency has different security requirements: the National Security Agency and Housing and Urban Development, for instance, have different risk levels and, therefore, different security requirements.

FISMA was created to require each federal agency to develop, document, and implement a complete information security plan to protect and support its operations. FISMA is one article in a larger piece of legislation called the E-Government Act, which recognizes the importance of information security to the United States' economic and national interests.

Congress amended FISMA in 2014 in the Federal Information Security Modernization Act. The amended legislation modified the original law, bringing FISMA in line with current information security concerns. Agencies are now encouraged to use more continuous monitoring and focus on compliance than what was required in the previous legislation. Originally, FISMA only applied to federal agencies. Over time, the law has evolved to cover state agencies that manage federal programs (e.g., Medicare, Medicaid, unemployment insurance, etc.) and companies with contracts to work with federal agencies.

Private sector companies that do business with federal agencies must adhere to the same information security guidelines as the federal agency.

CyberSSC assists organizations in implementing FISMA information security controls across their organizations based on guidance from NIST SP 800 53. 

FISMA requirements include the following:

• Information System Inventory: FISMA requires every agency to maintain an inventory of all systems and their integrations in use.
• Risk Categorization: FIPS 199 documents how an agency categorizes its risk and security requirements. According to this document, each agency is responsible for maintaining the highest level of security necessary.
• System Security Plan: FISMA requires that each agency have a security plan in place and a process to make sure the plan is updated regularly.
• Security Controls: NIST 800-53 defines 20 security controls each agency must implement to be FISMA compliant.
• Risk Assessments: Any time an agency makes a change to its systems, it is required to perform a three-tiered risk assessment using the Risk Management Framework (RMF).
• Certification and Accreditation: FISMA requires each agency to conduct yearly security reviews. Agencies must demonstrate they can implement, maintain, and monitor systems to be FISMA compliant.

Achieving FISMA compliance increases an agency's data security, protects citizens' private data, and reduces the federal government's IT-related costs. In the current data security climate, private sector companies should implement FISMA-compliant solutions for their data security. Companies must be FISMA compliant to work with federal agencies, providing the added benefit of protecting their data from breaches. 

One of the most significant potential penalties for FISMA compliance violations is the loss of federal funding. For an agency, that could be detrimental, but for a federal contractor, it could be the end of your company. Other non-monetary penalties could include a loss of reputation due to data breaches and bad press or even missing out on future federal project bid opportunities. If your company depends on federal funds for its ongoing revenue, you must be FISMA compliant. 

Any organization will benefit from a FISMA compliance program regardless of federal government involvement. The EU passed GDPR, and legislation in Congress now redefines PII, and annual data risk reports are required. Privacy and data protection laws are needed in the United States, and FISMA influences them. Some of the best practices include but are not limited to:

• Implement a comprehensive data security plan to classify data, monitor activity, and detect threats to your sensitive data.
• Stay current with any changes to the FISMA standards.
• Keep documentation of your FISMA compliance efforts.
• Encrypt everything: data encryption is a FISMA requirement.

The Federal Risk and Authorization Management Program (FedRAMP) is a government program that standardizes how agencies can validate cloud computing services for FISMA compliance. CyberSSC can assist agencies looking for cloud computing options for cost savings, and FedRAMP guides them in managing risk and validating cloud services for use by federal agencies. Software vendors wanting to work with US government agencies must look into the FedRAMP authorization programs. 

CyberSSC can assist with building a cloud solution and providing that solution to government agencies. CyberSSC can also help identify approved providers within the FedRAMP Marketplace, assist organizations with the FedRAMP authorization process, and develop organizations' performance standards to meet FedRAMP compliance requirements. Suppose you are already a Cloud Service Provider (CSP) looking for a readiness assessment. In that case, CyberSSC can assist with the review of your compliance along with the following mandatory documentation:

• System Security Plan (SSP)
• Security Assessment Plan (SAP)
• Security Assessment Report (SAR)
• Continuous Monitoring Plan (ConMon) 
• Policies and Procedrues

The Defense Federal Acquisition Regulation Supplement (DFARS) is the Department of Defense (DoD) implementation of the Federal Acquisition Regulation (FAR). It is codified in Chapter 2 of Title 48 Code of Federal Regulations, the Federal Acquisition Regulation System.  

DFARS and its companion documents, Procedures, Guidance, and Information (PGI), and the FAR apply to purchases and contracts through DoD contracting activities.  

The primary objective of DoD acquisition is to acquire quality supplies and services that satisfy user needs with measurable improvements to mission capability and operational support at a fair and reasonable price.