FISMA Compliance Requirements & Best Practices (+ Checklist)

FISMA compliance should be your top priority if you’re a government agency or a private contractor doing business with the federal government. To help you better understand the complexities and implementation of this law, in this article, we’ll explain:

• What is FISMA
• How to stay compliant
• What are the benefits of FISMA compliance
• How to avoid penalties
• Why is email archiving important

What Is FISMA Compliance?

FISMA (The Federal Information Security Management Act) is a US federal law enacted in 2002 that affects government agencies and contractors and deals with the protection of information and information systems from threats — unauthorized access, use, modification, and destruction. The law has been amended by the 2014 Federal Information Security Modernization Act, the version known as FISMA Reform or FISMA 2014.

To meet FISMA compliance, government agencies, vendors, partners, and contractors need to ensure that sensitive information is retained and distributed appropriately and protected from security threats.

The main FISMA objectives are the integrity, confidentiality and availability of data contained in the information systems and the software and system themselves.

Achieving these objectives through FISMA compliance can enhance your organization’s reputation, increase customer trust, and protect your sensitive data from potential threats.

1. Data integrity
   This means that the data needs to be guarded against destruction and improper or unauthorized modification, while ensuring authenticity. The purpose of FISMA compliance is to ensure that no external (or unauthorized internal) parties are able to modify CUI (Controlled Unclassified Information) or CDI (Covered Defense Information).
2. Data confidentiality
   Data confidentiality is a key objective of FISMA compliance. It refers to the protection of information from unauthorized access and disclosure. This objective deals with “preserving restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.” In plain terms, it means that all confidential and protected private information needs to remain precisely that — confidential and protected. Ensuring data confidentiality is crucial for protecting sensitive information and maintaining public trust.
3. Data availability
   When it comes to handling data, FISMA requires “timely and reliable access to information” and defines loss of availability as the “disruption of access or use of information.”

To comply with these FISMA standards, agencies are required to implement comprehensive programs to provide data security with the aim of protecting operations and assets.

Who Is Subject to FISMA?

FISMA was originally enacted with federal agencies in mind, but it has been expanded to include state agencies (like those that manage Medicare or student loans) and public and private organizations that provide services to the government, manage government contracts, or receive grants.

It is these private businesses that are most commonly penalized — a vast majority of them because they’re unaware that they are expected to adhere to FISMA in the first place.

How Is FISMA Compliance Implemented and Assessed?

FISMA enforces standards on agencies and their contractors and vendors through the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB).

NIST is responsible for:

• Establishing the minimum requirements for security plans and procedures
• Recommendations regarding the systems and software used to establish information security
• Approving vendors
• Standardizing the risk assessment process

NIST 800-53 is a publication that specifically lists the FISMA standards and guidelines that agencies and contractors need to adhere to in order to comply with FISMA.

When it comes to FISMA compliance assessment, an agency’s information security program evaluation is conducted annually and then reported to the OMB. It’s important to note that FISMA audits are done independently by inspectors general (IGs) or external auditors.

The cost of FISMA compliance is difficult to predict since most of the expenses are related to documentation and physical measures such as fire protection and monitoring of the data center. Some of these might have already been implemented or are handled in-house. Software tools are the third most costly item on the list — apart from the regular firewall, virus protection, and filtering, you’ll also need data archiving software.

There are three levels of FISMA compliance (high, moderate, and low), which indicate how secure or prone an agency’s or vendor’s systems are to issues.

These levels are outlined in NIST 800-71. Just like agencies, contractors are required to take appropriate measures when it comes to the retention and transit of sensitive and confidential information.

FISMA Compliance Checklist

So, how do you comply with FISMA? The NIST 800-53 risk management framework defines a six-step FINRA compliance process and lists the main FISMA compliance requirements that need to be met:

1. Create an information system inventory — Federal agencies and contractors need to categorize and keep an inventory of all information systems used in the organization, as well as define system integrations.
2. Establish system security controls — There are twenty security controls outlined in NIST 800-53 that agencies must implement to be FISMA compliant. It’s not mandatory to implement them all, but it is necessary to establish those that are relevant to the specific organization and its unique systems and operations.
3. Implement a system security plan — FISMA requires agencies to devise, follow and periodically update a security plan in line with the policies specified in NIST 800-53. The plan consists of security policies, whose effectiveness must be verifiable by the organization itself or the auditor.
4. Assess the risk — Agencies and contractors need to conduct risk assessment and ensure that business-critical and sensitive information is given the highest level of security. FIPS 199 documents how risk is categorized and lists specific security requirements.
5. Authorize and certify the information systems — During this stage, information systems are evaluated and amended if necessary by the certification agent, who also verifies the security controls outlined in the policy.
6. Monitor the security controls — Tracking and constant monitoring are crucial aspects of FISMA compliance. Security should be monitored proactively rather than reactively – by tracking technical tools and detecting bugs and vulnerabilities continuously and early on, but also by focusing on people, processes, and behaviors.

FISMA Compliance Best Practices

Here are some additional tips to help you achieve FISMA compliance and protect your organization from cyberattacks.

• Prioritize risk management. When data is created, Identify and categorize it based on its sensitivity. Allocate resources accordingly to address high-risk areas first.
• Develop a comprehensive security plan. Document your security policies, procedures, and controls. Update this plan regularly to reflect changes in your systems and risk landscape.
• Continuous monitoring. Implement tools and processes to monitor your systems for vulnerabilities, intrusions, and anomalies.
  Invest in employee training. Educate your staff on security policies, procedures, and best practices. Encourage a culture of security awareness across your organization.
• Consult external experts. If necessary, consult with cybersecurity experts to assess your compliance status and identify areas for improvement.
• Maintain thorough documentation. Keep detailed records of your compliance activities, including risk assessments, security plans, incident reports, and remediation efforts.
• Stay informed. Stay up to date with the latest changes in FISMA regulations, NIST guidelines, and emerging cybersecurity threats.

FISMA Compliance Benefits

In short, by implementing security measures mandated by FISMA, government agencies prevent costly security breaches, protect citizens’ sensitive data, and enhance their security posture.

For private businesses, FISMA compliance means strengthening their security practices, which builds trust and credibility with both federal agencies and their customers.

FISMA-compliant companies also gain a competitive edge when they apply for federal grants and contracts.

Achieving FISMA compliance can be demanding and expensive, but these benefits outweigh the initial investment. Bearing in mind that data breaches exposed more than eight million user accounts during Q4 of 2023, it’s safe to say that adherence to FISMA shouldn’t be optional.

It’s also worth mentioning that the public administration and healthcare sectors are among the most susceptible to security cyberattacks and security breaches.

FISMA Penalties

The penalties for non-compliance with FISMA depend on who failed the audit — a government agency or a contractor.

If a government agency gets a low FISMA score, the penalties will include censure and loss of work for a number of agency employees.

In case a partner (a private business) fails to comply, the most common penalties are the loss of federal funding and censure from entering any future government contracts.

Email Archiving and FISMA

Government agencies already need to adhere to very strict standards when it comes to the retention of communication records. This is mainly done because of the large numbers of FOIA requests (there were 928,353 incoming requests in FY 2022 and 1,122,166 requests in 2023) and for litigation support.

When purchasing email archiving technology, agencies need to ensure that they choose FISMA-compliant software.

What does that look like?

As we said earlier, agencies first need to know which controls need to be implemented in order to ensure the secure operation of the email archiving system.

This information is contained in NIST 800-53, the collection of recommendations regarding security controls for federal information systems. This assessment is conducted by an independent assessor who checks if a system can protect and ensure confidentiality, availability, and integrity, after which they grant an ATO (authority to operate).

Although an ATO is considered a demonstration of FISMA compliance, agencies will need to continuously monitor and periodically audit their security controls and ensure they are operating effectively. It is important to note that FISMA traditionally applies to non-cloud systems.

What is the difference between FISMA and FedRAMP?

For FISMA-compliant cloud services (if federal agencies wish to use cloud email archiving technology), both the agency and the cloud services provider need to obtain a FedRAMP authorization.

AWS, for instance, is compliant with the NIST 800-53 framework (Revision 5), as well as with FISMA and FedRAMP as Amazon’s cloud infrastructure and services have been validated by third-party testing.

Email Archiving for FISMA Compliance: Best Practices

Although FISMA emphasizes the protection and security of systems, it all comes down to the security of information contained in those systems.

Email archiving is only one piece of the FISMA process puzzle, but it remains a must for organizations to implement archiving practices in order to be fully compliant with the Act.

If you’re wondering how to achieve FISMA compliance using email archiving solutions, there are several software features that make the difference:

Access control through user roles

Having different access levels makes sure that the most sensitive information is unavailable to regular users. Users with privileges (CIOs, admins) should be able to monitor user activity, perform audits and verify data integrity to prevent unauthorized access, attempts at evidence spoliation, data breaches and leaking of sensitive information. This is much easier if the email archiving solution has customizable user roles.

Encryption

Email archiving software should be able to automatically encrypt data, at least classified data, that deserves the highest security levels. Built on top of AWS, Jatheon Cloud provides robust encryption mechanisms to secure data both at rest and in transit.

Authentication

Two or multi-factor authentication is advised in order to prevent unauthorized personnel or intruders from gaining access to critical and confidential data.

Monitoring

Continuous monitoring is mandatory for FISMA compliance, and some of these requirements can be outsourced. Agencies should check if an email archiving solution has built-in monitoring features like status reports and 24/7 tech support in case there is an incident.

System integrity

Data corruption would easily result in FISMA non-compliance penalties. The best way to ensure the integrity of your email archiving systems is to invest in enterprise-grade hardware, plan for disaster recovery, and choose a vendor that prioritizes hardware maintenance and offers periodical hardware refreshes.

Also, don’t forget to include social media in your FISMA/FedRAMP risk assessment strategy — although the law is very broad, if your agency is actively using social media, you will be required to retain and ensure security of those records as well.

Jatheon is a global, FISMA-compliant leader in email, social media, and mobile communications archiving with 20 years of experience in the government sector.

To learn how Jatheon’s cloud archiving software can help your agency ensure FISMA compliance, contact us or book a demo.

Summary of the Main Points

• FISMA compliance is essential for protecting government information and information systems from unauthorized access, use, modification, and destruction.
• This federal law applies to federal agencies, state agencies handling federal data, and private organizations working with the government.
• Agencies and vendors must implement security controls defined in NIST 800-53, conduct risk assessments, and continuously monitor systems.
• FISMA compliance benefits include enhanced security, risk reduction, and cost savings for federal agencies, as well as, competitive advantage, trust-building, and strengthened security for businesses.
• Implementation costs can be significant, but they’re outweighed by long-term benefits.
• Penalties for FISMA compliance violations are censure and loss of work for agency employees. Non-compliant businesses are hit with loss of federal funding and potential exclusion from future contracts.
• To ensure full FISMA compliance, organizations must implement a compliant email archiving solution, whose features include access control through system roles, encryption, authentication, monitoring, and system integrity.

About the Author

Marko Dinic

As Jatheon’s CEO, Marko Dinic oversees new business development and has a leadership role in shaping the company’s vision, strategy, and product development. Outside work, he loves visiting places off the beaten path, investing, and space travel.