For federal agencies and the contractors that serve them, compliance with the Federal Information Security Management Act of 2002 (FISMA) is a critical endeavor—and a complex and time-consuming one.
LBMC Information Security has been bringing federal contractors into FISMA compliance since its inception. With extensive experience securing the networks and data of government agencies and contractors, our team brings a holistic understanding of the risks these organizations face.
FISMA Compliance Services
LBMC Information Security provides a comprehensive range of services to keep federal agencies and their contractors compliant with FISMA requirements while providing a practical and relevant level of risk management.
System Security Plan (SSP)
We can help your team develop and maintain this comprehensive document that details your internal controls.
FISMA Risk Assessment
We provide the independent assessment of your control environment, which provides peace of mind to your internal and external stakeholders while maintaining FISMA compliance. Our penetration testing and vulnerability assessments identify and prioritize weaknesses through physical, logical and social testing techniques.
Our FISMA compliance reviews provide agency officials the confidence they need to sign off on security systems through accreditation.
Our recognized information security experts understand at a deep level how to maintain compliance with a range of complex security frameworks, from FISMA to HIPAA to Service Organization Controls reporting. As a result, we can perform a single assessment and produce multiple assurance reports in a cost-effective way.
What is FISMA?
In December 2014, the Federal Information Security Management Act (FISMA) happened and brought some major changes to FISMA compliance and reporting. These changes had significant implications for two groups:
- Federal agencies
- Any organization that does business with federal agencies
Perhaps the most important thing to FISMA was their elimination of antiquated reporting documentation requirements that most professionals regarded as adding no value to the process – documentation that ultimately did little to improve the security of organizations.
You could think of the old reporting process as an onerous snapshot: a time and labor-intensive compilation of documents that reflected only a single moment in time of an organization’s information security readiness. These documents were submitted without any real expectation that anyone would read them, or that they would speak to the organization’s security realities in the future. This old process was replaced by continuous monitoring.
Now, organizations continuously monitor key performance indicators of their security programs. Agencies and government contractors alike can better understand where their information security posture stands at all times, and reporting is much more streamlined and automated.
Continuous Monitoring: Going Beyond Data
Often times, audit findings and ongoing monitoring reports are organized in dashboards or report cards. While this type of reporting is useful, it’s limited. Snapshot reporting is more granular around data and typically does not speak to the process. It does help identify performance gaps but tends to elicit action around technical vulnerabilities and fixes, which might not solve the root problem.
It’s critical to go beyond summary data and conduct ongoing validation and testing of your processes as well. Think creatively, here. For example, choose five random change management tickets and verify that proper procedure was followed.
- Were all of the stakeholders notified?
- Did the appropriate advisory board members have an opportunity to weigh in?
- Was adequate testing performed?
This type of sampling will help you identify procedures that are lapsing on a continual basis and/or individuals who are failing to perform the requisite tasks. But don’t stop there. It’s important to not only check that procedures are being followed but to also evaluate the process for its efficacy and alignment with business requirements. Sometimes, an organization will continue to perform a standard operation simply because ‘they’ve always done it that way.’ Under-performing processes become institutionalized, thereby weakening the effectiveness of security controls overall. Sure, validation tests help to verify that your staff is adhering to the procedure, but regular testing also gives you the opportunity to challenge each initiative to make sure it’s optimized and that it supports your business goals.
FISMA Audits: The Fundamentals
Inherent in FISMA are strict (and oftentimes onerous) requirements. To satisfy this mandate, agencies and contractors conduct regular independent assessments to determine how they are performing as prescribed by the NIST 800-53 control requirements. Some organizations conduct this FISMA audit internally using an internal audit function, while others outsource it to a third party. With either approach, the executive management team is ultimately responsible for reporting on identified risks and evaluating the effectiveness of an organization’s security controls. So what are the main components of a FISMA audit? As with most audits, you will want to include each of the following:
- Interview the individuals responsible for the control documentation process to gain an understanding of the overall process and key contacts and control owners.
- Gain an understanding of the current processing environment to determine where commonalities are expected within the control environment.
- Determine appropriate sample size and characteristics for each of the control areas under review.
- Conduct a performance review audit using the NIST Assessment Methods and Objects to achieve the Assessment Objectives.
- Document testing results within the FISMA Audit Report.
As you can imagine, a FISMA audit can be fairly disruptive and is often greeted with a general air of trepidation. Collecting supporting documents takes time away from daily operations, and most people are hesitant to build a case against themselves by helping auditors find issues. Process owners may become defensive or even try to conceal areas of control weakness.
That said, there are ways to lessen the inconvenience and threatening nature of an audit. Gather the key players and enroll them in your vision: an assessment is an opportunity to protect the company’s assets and reduce the number of security incidents. Help your staff understand how the assessment will facilitate change for the better, and be sure to provide a list of supporting documentation that each stakeholder is required to submit so your staff can be prepared in advance.
As a best practice, the audit team should make an effort to give credit where credit is due, which audit teams oftentimes fail to do. While lapses in a policy or procedure update shouldn’t be sugarcoated, it’s important to balance the findings by identifying what’s working. If you are seeking an outside vendor to conduct your assessment, make sure they are prepared to partner with you and your staff, rather than creating an environment of fear and generating findings to justify their fees. You want to challenge your staff to ‘better their best.’ If they understand the value of the assessment, they will be more likely to cooperate and work toward the common goal of having a better-protected system.
Building a Solid Foundation
Many organizations struggle to even cover the basics. They are constantly putting out fires and struggling to respond to new threats. They tend to perform poorly in audits. In fact, this type of organization is often unable to get out of audit mode, continually finding themselves responding to findings or scrambling to prepare for the next audit.
To counter this and to build a secure environment down to its core, we recommend implementing a solid foundation of security controls in several key areas. This set of controls will serve as a strong base and will eliminate the root causes of most high-risk audit findings. The initial effort to do this is costly, but in the long run, you will save time, money, and headaches; and your data will be more secure. We recommend that you evaluate the following process areas and institute a foundation of strong controls in each.
Information Technology Asset Tracking
Maintaining a controlled and accurate inventory of all IT assets is a critical underpinning of any information security program. The basic premise here is that you can’t control what you don’t know you have. For example, if an employee checks out a loaner laptop and doesn’t connect to the network for an extended period of time to update system patches, that system is officially in an insecure state. The unaccounted-for laptop has potential to show up at the worst possible moment—during an audit, of course, or when a malware outbreak is scanning your system for vulnerable machines. Evaluate your current IT asset inventory process and develop an enterprise approach to managing these assets across all business units and facilities. By carefully examining your business units, the flow of IT assets within your facilities, and the interrelationships of the departments that need IT asset tracking, system requirements can be defined to drive solid processes and an appropriate tracking solution.
Configuration & Patch Management
In today’s threat environment, strong configuration and patch management are vital to ensure that systems do not fall victim to malicious software and attacks. Historically, many would consider a 95% patch rate as very good, but today we have to be nearly perfect to be effective. The bar has been raised dramatically due to automated hacker tools that scan networks, looking for vulnerable systems. Configuration standards need to be developed for all major applications and general support systems. Furthermore, these configuration standards must be consistently implemented and continuously monitored for compliance at all times.
Effective change management is one of the most important core elements of a sound control environment. Establish an upper management control board to review changes and make risk determinations. Ideally, board members will serve for a long time, as continuity of this group is critical to ensure consistency of treatment for each type of request or change. The board is responsible for evaluating and accepting the risk of each change based on the following factors: the inherent level of risk in the change, the adequacy of test plans and related results, and possible backout procedures in the event of an issue. Access Controls: User access control is a multi-faceted area that encompasses user identity management, facility access, and authorization from cradle-to-grave—from on-boarding a new user, through transfers, promotions, and termination. It is critical that procedures are put in place to notify the IT department immediately when there has been a change in an employee’s status. Password configurations, levels of access, equipment assignments, remote transaction permissions, and facility accessibility all need to be considered and changed on a regular basis.
System Event Monitoring
Done manually, this control requires a massive amount of human capital to perform effectively. Even then, the ability to do the job manually is questionable. Automating this process is far superior in today’s threat environment; it is advisable to deploy centralized logging and monitoring solutions to ensure that all major applications and general support systems are being monitored around the clock. Systems must be tuned and rules developed, which is an ongoing process as the threat environment is constantly changing. Consider using advanced techniques such as “honey tokens” to find anomalies. Having a robust anomaly detection strategy is the best defense against APTs, spear phishing, and zero day attacks.
Documentation Requirements & Formality
Documentation must be accessible to those who use it, updated as changes occur, and at your fingertips during an audit. A centralized repository of documentation is recommended; use of a single product on a corporate-wide basis is typically the best solution. That said, for many companies, the migration from a disparate system to a centralized one is a significant undertaking. We suggest the following approach:
- Inventory all existing policies and procedures; corporate-wide is recommended, but IT-wide is a minimum
- Identify gaps between required and existing documentation
- Document the desired business process to maintain documentation
- Determine the user population for the document repository and level of access needed
- Document the requirements and desired features for a robust solution
- Determine if a new solution is needed or if use of an existing solution can be expanded
- Define document templates—enforcing an organization structure and use of templates is critical to a successful implementation
Testing & Validation
A common characteristic of high-performing security programs is an integrated testing and validation program. On an on-going basis, validate current processes in light of both compliance requirements and the threat environment. The key to a successful testing & validation program is the ability to subsequently hold stakeholders responsible for controls and make improvements as appropriate. A testing and validation program should not be viewed as a policing activity; rather, it should have a philosophy of continuous process improvement and innovation. Testing and validation will necessarily include: annual FISMA audits, penetration testing, security testing, and due diligence testing on new technology and connections.