FISMA Compliance: Requirements, Penalties and Email Archiving

August 20, 2018 by Jatheon

What Is FISMA?

The Federal Information Security Management Act (2002) is a US federal law that deals with information security, namely, the protection of information and systems from unauthorized access, use, modification and destruction. In accordance with FISMA, government agencies need to establish and maintain data integrity, confidentiality and availability. The Act requires agencies to implement comprehensive programs to provide data security with the aim of protecting operations and assets and includes any information systems that were managed by contractors.

What Are the Top FISMA Requirements?

1. Information System Inventory – Federal agencies and contractors need to keep an inventory of all information systems used in the organization and define system integrations.

2. Risk Assessment – Agencies and contractors need to conduct risk assessment and ensure that business-critical and sensitive information is given the highest level of security.

3. System Security Plan and Controls – According to FISMA, agencies need to devise, follow and periodically audit a security plan, paying special attention to security controls and policies specified in NIST 800-53.

Email Archiving and FISMA

Other compliance regulations mandate that government agencies retain electronic documentation, primarily email, for Freedom of Information requests and legal procedures (eDiscovery). When purchasing email archiving technology, agencies need to ensure that the solution is FISMA-compliant. What does that look like?

Firstly, the agency needs to know which controls need to be implemented in order to ensure the secure operation of the email archiving system. This information is contained in NIST 800-53, the collection of recommendations regarding security controls for federal information systems. This assessment is conducted by an independent assessor who checks whether a system can protect and ensure confidentiality, availability and integrity, after which they grant an ATO (authority to operate).

Although an ATO is considered a demonstration of FISMA compliance, agencies will need to continuously monitor and periodically audit their security controls and ensure they are operating effectively. It is important to note that FISMA traditionally applies to non-cloud systems. For the adoption of cloud email archiving technology, agencies and cloud services providers need to obtain a FedRAMP authorization.

Email Archiving Systems for Governments: Best Practices

Although FISMA emphasizes the protection and security of systems, it all comes down to the security of information contained in those systems. This is why ensuring that your important business data is secure will keep you 90% FISMA-compliant.

When it comes to email, creating an email retention policy is always the logical first step. Good email archiving solutions have customizable user roles, which means that the most sensitive information will simply be unavailable to regular users. Administrators and compliance officers, on the other hand, will be able to monitor, audit and verify data integrity to prevent unauthorized access, attempts at evidence spoliation, data breaches, leaking of sensitive information and tampering. Ideally, your email archiving solution will be able to automatically encrypt data, at least classified data that you deem deserves highest security levels.

Don’t forget to include social media in your FISMA/FedRAMP risk assessment strategy – although the law is very broad, if your agency is actively using social media to disseminate information, you will be required to retain and ensure security of that information as well. Penalties for non-compliance with FISMA include censure from future contracts and loss of federal funding.

Although #FISMA emphasizes the protection and security of systems, it all comes down to the security of information contained in those systems. Click To Tweet

Finally, don’t be afraid to ask for help and recommendations. Hiring a FISMA consultant or talking to your email archiving services provider can save you a lot of time and effort.

Jatheon is a global leader in email, social media and mobile communications archiving with 15 years of experience in the government sector. To learn how Jatheon’s solutions can help you ensure FISMA compliance, contact us or schedule your personal demo.

Schedule Your Personal Demo

Look inside Jatheon’s solution to see how to better manage your corporate email and messaging data. Leave us your contact details and we’ll get in touch and show you around.

Join over five thousand happy businesses using Jatheon.