FISMA Print

Overview

US Federal agencies are required to comply with Federal Information Security Management Act of 2002 (FISMA). FISMA requires to develop, document, and implement controls to protect US federal agency information and information technology systems supporting their operations and assets including those managed or provided by any third party or other agency.

FISMA defines information security as the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction to provide for confidentiality, integrity, and availability of informa¬tion and information systems.

FISMA compliance provisions and responsibility are directed as follow:

  • Implement and manage agency key information security provisions by using National Institute of Standards and Technology (NIST) standards, guidelines and tools for FISMA compliance
  • Conduct compliance reviews to determine the adequacy of the security of federal agency by the Office of Management and Budget (OMB)
  • Accountability for compliance and reporting, and management of the information security program for each agency

FISMA requires each federal agency (and related contractors) to:

  • Perform and maintain an Inventory agency information systems
  • Categorize information and information systems based on risks
  • Define minimum-security controls according to NIST Special Publication 800-53
  • Implement a risk-assessment process
  • For each information system a Security Plan (SP) must be developed, and regularly reviewed and updated
  • Periodically review the security controls of agency information systems (Certification), and prior to operations and periodically authorize system processing (Accreditation)
  • Conduct regular certification and accreditation (C&A) of the systems
  • Continuously monitor the risks and security controls of the agency information systems
  • Fisma Compliance Program

    The FISMA Compliance Program is designed to answer questions raised by any company that stores, processes or transmits US federal agency information while evaluating and selecting products to support the FISMA requirements. This Compliance Program provides validated evidence about a product’s features and capabilities to support the FISMA requirements.

    FISMA Compliance Testing and analysis cover several aspects of the product including:

    • Compliance Effectiveness
    • Product Capabilities Support
    • Scope Impact Analysis and Coverage
    • Management and Usability
    • Suitable for Use in and Recommended Configuration
    • Product Roadmap

    Fisma Compliance testing criteria

    Compliance testing is conducted by trained analysts against the FISMA Compliance Program criteria, as well as Compliance Labs functional and quality assurance requirements. FISMA Compliance Program criteria rely on NIST SP800-53 requirements intent from auditors’ perspective, companies’ needs, and from queries numerous specialists, including affected products vendors, developers, users and industry groups. The compliance analyst will report the results of each phase of testing in the Compliance Report, and also documents the product components submitted by the vendor and the configuration of the product tested.

    Continuous Evaluation Process

    Compliance Labs has developed the FISMA continuous evaluation process as a fundamental aspect of FISMA Compliance Program. The continuous evaluation process will monitor new compliance requirements and best practices and update testing criteria to drive product compliance effectiveness and quality over the long term.