After many years of discussion and debate about reforming the Federal Information Security Management Act (FISMA), it has finally happened: in December 2014, the President signed legislation bringing some major changes to FISMA compliance and reporting. These changes will have significant implications for two groups:
- Federal agencies
- Any organization that does business with federal agencies
How are the guidelines changing, and what steps can organizations take to streamline the transition? Let’s take a look.
FISMA: From snapshots to real-time
Perhaps the most important thing about the updates to FISMA is their elimination of antiquated reporting documentation requirements that most professionals regarded as adding no value to the process – documentation that ultimately did little to improve the security of organizations.
You could think of the old reporting process as an onerous snapshot: a time and labor-intensive compilation of documents that reflected only a single moment in time of an organization’s information security readiness. These documents were submitted without any real expectation that anyone would read them, or that they would speak to the organization’s security realities in the future. This old process is being replaced by continuous monitoring.
Now, organizations will continuously monitor key performance indicators of their security programs, and those KPIs will serve the reporting function instead of the old documentation standards and requirements. Agencies and government contractors alike will be able to better understand where their information security posture stands at all times, and reporting will be much more streamlined and automated. Fundamentally, this is a move from moment-in-time documentation to near-real-time continuous monitoring – a major advance that should make for both stronger security and more efficient reporting.
FISMA: New players in oversight
The changes to FISMA also impact some of the key organizational players involved. Previously, the National Institute of Standards and Technology (NIST) was the primary driver behind the FISMA standards. The updated law establishes some new players, including the Department of Homeland Security.
In this newly shuffled deck of agencies, Homeland Security may lead oversight with support from NIST, and responsibility for implementing the reporting requirement changes assigned to the Office for Management and Budget (OMB).
Additionally, the FISMA update places a renewed emphasis on independent validation testing. Under the new rules, independent audits and independent validation tests on relevant systems are more important than ever. In conjunction with the other changes, this seems to mean that some old certification and accreditation processes are going away, taking a load off the shoulders of organizations – but the audits and overall level of scrutiny are actually increasing.
FISMA: Streamlining reporting
How can impacted agencies and government contractors most effectively prepare themselves for the transition in FISMA reporting and compliance? The best approach is to consider these changes as an opportunity, and evaluate new requirements alongside your other security obligations.
Where FISMA is concerned, you will be switching gears from spending massive amounts of time putting together documentation to more real-time, impactful security activity. There are likely other areas of security compliance responsibility where your organization can benefit from this shift as well.
As you change your procedures to meet new FISMA requirements, look for opportunities to take a more holistic approach to your overall compliance strategy. If you consider other information security-related regulations your organization complies with, you can effectively leverage one process to meet several different objectives.
FISMA’s new paradigm doesn’t mean agencies and business partners can relax. If anything, it will bring about greater scrutiny than ever before. But it also serves as a chance for you to implement streamlined and coordinated security reporting that leaves your organization less encumbered by arduous documentation, more informed, and ultimately safer.