US Federal agencies are required to comply with Federal Information Security Management Act of 2014 amending initial FISMA Act of 2002. FISMA requires to develop, document, and implement controls to protect US federal agency information and information technology systems supporting their operations and assets including those managed or provided by any third party or other agency.

FISMA defines information security as the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction to provide for confidentiality, integrity, and availability of informa¬tion and information systems. Since FY 2016, OMB and the DHS (Department of Homeland Security) have established the CIO FISMA metrics around NIST (National Institute of Standards and Technology) Cybersecurity Framework.

FISMA requires each federal agency (and related contractors) to:

  • Perform and maintain an Inventory agency information systems
  • Categorize information and information systems based on risks
  • Define minimum-security controls according to NIST Special Publication 800-53
  • Implement a risk-assessment process
  • For each information system a Security Plan (SP) must be developed, and regularly reviewed and updated
  • Periodically review the security controls of agency information systems (Certification), and prior to operations and periodically authorize system processing (Accreditation)
  • Conduct regular certification and accreditation (C&A) of the systems
  • Continuously monitor the risks and security controls of the agency information systems
  • Fisma Compliance Program

    The FISMA Compliance Program is designed to answer questions raised by any company that stores, processes or transmits US federal agency information while evaluating and selecting products to support the FISMA requirements. This Compliance Program provides validated evidence about a product’s features and capabilities to support the FISMA requirements.

    FISMA Compliance Testing and analysis cover several aspects of the product including:

    • Compliance Effectiveness
    • Product Capabilities Support
    • Scope Impact Analysis and Coverage
    • Management and Usability
    • Suitable for Use in and Recommended Configuration
    • Product Roadmap

    Fisma Compliance testing criteria

    Compliance testing is conducted by trained analysts against the FISMA Compliance Program criteria, as well as Compliance Labs functional and quality assurance requirements. FISMA Compliance Program criteria rely on NIST SP800-53 requirements and NIST Cybersecurity Framework as a standard for managing and reducing cybersecurity risks, organized around the framework’s five functions: Identify, Protect, Detect, Respond, and Recover. The compliance analyst will report the results of each phase of testing in the Reports of Compliance, and also documents the product components submitted by the vendor and the configuration of the product tested.

    Continuous Evaluation Process

    Compliance Labs has developed the FISMA continuous evaluation process as a fundamental aspect of FISMA Compliance Program. The continuous evaluation process will monitor new compliance requirements and best practices and update testing criteria to drive product compliance effectiveness and quality over the long term.