FISMA, THE RMF AND WHY THEY ARE IMPORTANT
Feb
9
Written by:
2/9/2018 12:30 PM
Executive Summary
This blog series covers the Dos and Don'ts of contracting with the government. We'll cover the latest policies, guidelines
and frameworks developed by the government that you need to know.
This blog is meant to introduce new contractors in the federal space to the innerworkings of government business elements.
As the government publishes new Information Security regulations and guidelines, we’ll keep you updated on what
you need to know and why you need to know it.
Key Terms
Compliance
|
Adhering to a rule or a set of rules
|
FISMA
|
The Federal Information Security Modernization Act, designed to provide the guidelines necessary to protect
federal data
|
Information Security
|
Ensuring the integrity, authenticity, availability, and confidentiality of information
|
NIST
|
The National Institute of Standards and Technology is a non-regulatory agency under the Department of Commerce
|
RMF
|
NIST’s Risk Management Framework, providing guidelines to becoming FISMA compliant
|
Background
FISMA (Federal Information Security Modernization Act of 2014) is an amendment to FISMA 2002 (Federal Information Security
Management Act of 2002). Essentially, the purpose of the amendment is to establish and highlight the importance of information
security for federal systems and mandate the development of, and compliance with, a government-grade information security
framework. As a contractor, there are two noteworthy benefits that will come of this:
1. FISMA 2014 mandates a change in federal infrastructure, that requires new hard and
services.
2. The amendment explicitly acknowledges that commercial information security products
“offer advanced, dynamic, robust, and effective information security solutions” (U.S. Government Printing
Office, 2014).This acknowledgement implies that the government is actively looking to commercial market for solutions
to information security needs.
Additionally, NIST’s RMF (Risk Management Framework) complements FISMA by providing guidelines that lead to becoming
FISMA compliant. The RMF consists of 6 steps, according to NIST:
- Step 1:
Categorize
- Step 2:
Select
- Step 3: Implement
- Step 4: Assess
- Step 5:
Authorize
- Step 6:
Monitor
Which Parts of FISMA Apply to Contractors
Well, let’s jump right to it: what parts of FISMA and the RMF are most relevant, and what happens when you are
not compliant?
FISMA (2014) was intended for the government. The mandates described within do not directly require contractors to do
anything. So, what’s the big hoopla over it about? FISMA is important to contractors whom are aiming to reap
the benefits of working with the government.
The “IS” in FISMA is “
Information Security,” not “Systems Security.” The major distinction here is that
FISMA emphasizes the security of federal information through any medium, not just federal systems. This is where
the RMF comes into play. The RMF abstracts information security requirements from federal law into a modular,
scalable system development lifecycle, and it encapsulates everything you’ll need to know about FISMA to be
compliant.
The RMF relies heavily on
Security Controls which are its foundation, these controls are outlined in NIST SP 800-53 and will be covered
in a later blog post. Their purpose is to provide safeguards/countermeasures that protect the security, integrity
and availability of information (Joint Task Force Transformation Initiative, 2013), they are the foundation of the
RMF.
The consequences of Not Being Compliant
There are significant drawbacks to hosting infrastructures that are not FISMA compliant, including exclusion from competition
for federal contracts. In light of the fact that warfare is shifting to the cyber arena, the Federal Government
is pushing more and more to secure its data systems. These policies, in turn, affect the funding that available
to us contractors.
Non-compliant federal contractors with current contracts are also at risk of losing their contracts, or even federal
charges. Furthermore, most federal grants now require FISMA compliance. The government simply will not fund organizations
or projects that open security holes by not being FISMA compliant.
References
Joint Task Force Transformation Initiative. (2013, April).
Security and Privacy Controls for Federal Information Systems and Organizations.Retrieved from National Institute
of Standards and Technology: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
U.S. Government Printing Office. (2014, December 18).
S.2521 - Federal Information Security Modernization Act of 2014. Retrieved from congress.gov: https://www.congress.gov/bill/113th-congress/senate-bill/2521/text