What is FISMA compliance?
FISMA (The Federal Information Security Management Act) is a US federal law enacted in 2002 that affects government agencies and contractors and deals with the protection of information and information systems from threats – unauthorized access, use, modification and destruction. The law has been amended by the 2014 Federal Information Security Modernization Act, the version known as FISMA Reform or FISMA2014.
To meet FISMA compliance, government agencies, vendors, partners and contractors need to ensure that the sensitive information is retained and distributed appropriately and protected from security threats.
The main FISMA objectives are the integrity, confidentiality and availability of data contained in the information systems and the software and system themselves.
- Data integrity
This means that the data needs to be guarded against destruction and improper or unauthorized modification, while ensuring authenticity. The purpose of FISMA compliance is to ensure that no external (or unauthorized internal) parties are able to modify CUI (Controlled Unclassified Information) or CDI (Covered Defense Information).
- Data confidentiality
This objective deals with “preserving restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.” In plain terms, it means that all confidential and protected private information needs to remain precisely that – confidential and protected.
- Data availability
When it comes to handling data, FISMA requires a “timely and reliable access to information” and defines loss of availability as the “disruption of access or use of information”.
To meet these FISMA standards, agencies are required to implement comprehensive programs to provide data security with the aim of protecting operations and assets.
Who is subject to FISMA?
FISMA was originally enacted with federal agencies in mind, but it has been expanded to include state agencies (like those that manage Medicare or student loans) and public and private organizations that provide services to the government, manage government contracts or receive grants. It is these private businesses that are most commonly penalized – a vast majority of them because they’re unaware that they are expected to adhere to FISMA in the first place.
How is FISMA compliance implemented and assessed?
FISMA enforces standards on agencies and their contractors and vendors through the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB).
NIST is responsible for:
- establishing the minimum requirements for security plans and procedures
- recommendations regarding the systems and software used to establish information security
- approving vendors
- standardizing the risk assessment process
NIST 800-53 is a publication that specifically lists the FISMA standards and guidelines that agencies and contractors need to adhere to in order to comply with FISMA.
When it comes to FISMA compliance assessment, an agency’s information security program evaluation is conducted annually and then reported to the OMB. It’s important to note that FISMA audits are done independently by inspectors general (IGs) or external auditors.
The cost of FISMA compliance is difficult to predict, since most of the expenses are related to documentation and physical measures such as fire protection and monitoring of the data center. Some of these might have already been implemented or are handled in house. Software tools are the third most costly item on the list – apart from the regular firewall, virus protection and filtering, you’ll also need data archiving software.
On the federal level, the FISMA-related expenses jumped from $5.5 billion in 2006 to $13.1 billion in 2015. The latest data from Statista shows that FISMA compliance currently accounts for more than 16% of total federal IT spending.According to @statista, the cost of FISMA compliance jumped from $5.5 billion in 2006 to $13.1 billion in 2015. Click To Tweet
There are three levels of FISMA compliance (high, moderate and low) which indicate how secure or prone to issues the agency’s or vendor’s systems are. These levels are outlined in NIST 800-71. Just like agencies, contractors are required to take appropriate measures when it comes to the retention and transit of sensitive and confidential information.
FISMA compliance checklist
So how do you comply with FISMA? The NIST 800-53 risk management framework defines a six-step FINRA compliance process and lists the main FISMA compliance requirements that need to be met:
- Create an information system inventory – Federal agencies and contractors need to categorize and keep an inventory of all information systems used in the organization, as well as define system integrations.
- Establish system security controls – There are twenty security controls outlined in NIST 800-53 that agencies must implement to be FISMA compliant. It’s not mandatory to implement them all, but it is necessary to establish those that are relevant to the specific organization and its unique systems and operations.
- Implement a system security plan – FISMA requires agencies to devise, follow and periodically update a security plan in line with the policies specified in NIST 800-53. The plan consists of security policies, whose effectiveness must be verifiable by the organization itself or the auditor.
- Assess the risk – Agencies and contractors need to conduct risk assessment and ensure that business-critical and sensitive information is given the highest level of security. FIPS 199 documents how risk is categorized and lists specific security requirements.
- Authorize and certify the information systems
During this stage, information systems are evaluated and amended if necessary by the certification agent, who also verifies the security controls outlined in the policy.
- Monitor the security controls
Tracking and constant monitoring are crucial aspects of FISMA compliance. Security should be monitored proactively rather than reactively – by tracking technical tools and detecting bugs and vulnerabilities continuously and early on, but also by focusing on people, processes and behaviors.
The penalties for non-compliance with FISMA depend on whether it is the government agency or a contractor that has failed the audit. If a government agency gets a low FISMA score, the penalties will include censure and loss of work for a number of agency employees. If a partner (a private business) fails to comply, the most common penalties are the loss of federal funding and censure from entering any future government contracts.
Email Archiving and FISMA
Government agencies already need to adhere to very strict standards when it comes to the retention of communication records. This is mainly done because of the large numbers of FOIA requests (there were 858,952 incoming requests in FY 2019) and 772,952 requests in 2020) and for litigation support.
When purchasing email archiving technology, agencies need to ensure that they choose a FISMA compliant software. What does that look like?
As we said earlier, agencies first need to know which controls need to be implemented in order to ensure the secure operation of the email archiving system. This information is contained in NIST 800-53, the collection of recommendations regarding security controls for federal information systems. This assessment is conducted by an independent assessor who checks whether a system can protect and ensure confidentiality, availability and integrity, after which they grant an ATO (authority to operate).
Although an ATO is considered a demonstration of FISMA compliance, agencies will need to continuously monitor and periodically audit their security controls and ensure they are operating effectively. It is important to note that FISMA traditionally applies to non-cloud systems.
What is the difference between FISMA and FedRAMP? For FISMA compliant cloud services (if federal agencies wish to use cloud email archiving technology), both the agency and the cloud services provider need to obtain a FedRAMP authorization.
AWS, for instance, is compliant with the NIST 800-53 framework (Revision 4), as well as with FISMA and FedRAMP as Amazon’s cloud infrastructure and services have been validated by third-party testing.
Email archiving for FISMA compliance: Best Practices
Although FISMA emphasizes the protection and security of systems, it all comes down to the security of information contained in those systems. While email archiving is only one piece of the FISMA process puzzle, it remains a must for organizations to implement archiving practices in order to be fully compliant with the Act.Although #FISMA emphasizes the protection and security of systems, it all comes down to the security of information contained in those systems. Click To Tweet
If you’re wondering how to achieve FISMA compliance using email archiving solutions, there are several software features that make the difference:
- Access control through user roles
Having different access levels makes sure that the most sensitive information is unavailable to regular users. Users with privileges (CIOs, admins) should be able to monitor user activity, perform audits and verify data integrity to prevent unauthorized access, attempts at evidence spoliation, data breaches and leaking of sensitive information. This is much easier if the email archiving solution has customizable user roles.
- Access control through user roles
Email archiving software should be able to automatically encrypt data, at least classified data that deserves highest security levels.
Two or multi-factor authentication is advised in order to prevent unauthorized personnel or intruders from gaining access to critical and confidential data.
Continuous monitoring is mandatory for FISMA compliance, and some of these requirements can be outsourced. Agencies should check whether an email archiving solution has built-in monitoring features like status reports and a 24/7 tech support in case there is an incident.
- System integrity
Data corruption would easily result in FISMA non-compliance penalties. The best way to ensure the integrity of your email archiving systems is to invest in enterprise-grade hardware, plan for disaster recovery and choose a vendor which prioritizes hardware maintenance and offers periodical hardware refresh.
Also, don’t forget to include social media in your FISMA/FedRAMP risk assessment strategy – although the law is very broad, if your agency is actively using social media to disseminate information, you will be required to retain and ensure security of that information as well.
Jatheon is a global, FISMA-compliant leader in email, social media and mobile communications archiving with 17 years of experience in the government sector. To learn how Jatheon’s solutions can help your agency to ensure FISMA compliance, contact us or get your personal demo.