Federal Information Security Management Act (FISMA) is United States federal legislation that specifies a framework of guidelines and security standards to protect government information systems. FISMA was signed into law as part of the Electronic Government Act of 2002, and the National Institute of Science and Technology (NIST) was tasked with developing a framework in support of it.
Since 2002, FISMA’s scope has widened to apply to state agencies that administer federal programs, or private businesses and service providers that hold a contract with the U.S. government.
At the highest level FISMA requires agencies to:
- Maintain an up-to-date inventory
- Categorize systems and data based on risk
- Create and maintain a system security plan
- Implement security controls
- Receive and maintain Certification & Accreditation
- Continuously monitor systems
A large part of ensuring an ATO is received and maintained involves the development and update of all required security documentation. There are numerous things to consider that can materially affect A&A documentation: common controls, hybrid controls, major system changes, compensating controls, risk waivers, risk acceptances, etc. Inadequate documentation is the number one reason why the issuances of ATOs are delayed. GAI Cyber has substantial expertise in navigating the pitfalls involved with the ATO process and streamlining security artifact creation. Our team will develop and update all required documents for a new or ongoing FISMA security authorization for FISMA, including:
- System Security Plan (SSP)
- Federal Information Processing Standard Publication 199 (FIPS 199) Categorization
- Incident Response Plan (IRP)
- Contingency Plan (CP)
- Disaster Recovery Plan (DRP)
- Privacy Threshold Analysis (PTA)
- Privacy Impact Assessment (PIA)
- Configuration Management Plan (CMP)
- Policies and Procedures
A crucial part of FISMA compliance is procuring an independent third-party assessor to audit the state of your compliance. Our team will conduct all required assessment procedures with your organization to give you an accurate snapshot of the current state of your security program and FISMA compliance.
We offer two types of Assessments:
A tailored assessment that is scoped based on your needs that will identify a list of gaps for you to remediate prior to undergoing a formal audit.
Independent 3rd Party Assessment
An unbiased assessment of your compliance against required NIST 800-53 controls. Our team will interview personnel, examine documentation, and conduct technical testing in order to validate compliance and will notate deficiencies. This type of assessment is what is required for an Agency to grant an Authority to Operate (ATO). Our assessment process flow is described below.