What is the Federal Information Security Management Act (FISMA)?

Updated most recently in 2014, FISMA defines a framework to defend information, operations, and digital assets against natural disasters and man-made cyber threats.

While the act pertains to government agencies, it can also serve as a solid framework for any business to strengthen its IT security posture.

In 2002, shortly after 9/11, the Federal Information Security Management Act (FISMA) went into effect. The events of that day prompted the U.S. government to realize the importance of IT security to the economic and physical security interests of the United States. The act requires federal agencies to develop, document, and implement measures for protecting their data and information systems.

FISMA Metrics: A Solid Starting Point

If you’re looking to bolster your IT security program, a good place to start is the FISMA Metrics document issued in 2019. It outlines the five basic components for which IT needs to allocate people, processes, and technologies in order to establish a strong security posture:

• Identify Assets—inventory all digital assets (hardware devices, software systems, and data) connected to the IT network; then implement a solution to automatically detect any assets added to or removed from the network.
• Apply Controls—implement technologies to safeguard systems, networks, and facilities with appropriate cybersecurity defenses. The controls should also limit and contain the impact of cybersecurity events.
• Detect Threats—deploy solutions to discover cybersecurity events in a timely manner by maintaining and testing intrusion-detection processes and procedures that identify anomalous events on systems and networks.
• Respond to Breaches—develop policies with procedures that detail how to respond to cybersecurity events. Also, test response plans and communicate activities to business users in order to minimize the impact of any breaches.
• Recover Operations—implement resilience measures to quickly reduce the impact of breaches and to restore IT services impaired by cybersecurity events and return the business to normal operations.

These five components can serve as an outline to guide you in building or augmenting your IT security program. While you can also check out the complete details of FISMA, you will more than likely want to work directly with an IT security consultant to determine the resources you need and the technology investments you need to make.

Leverage NIST to Complement FISMA Efforts

It’s also helpful to consider other standards and resources that complement FISMA, such as those offered by the National Institute of Standards and Technology (NIST), another federal program and which falls under the U.S. Department of Commerce. NIST offers various programs that can help you comply with FISMA and recommends eight steps that go into a more detail than the five FISMA metrics listed above:

1. Categorize the information to be protected—so you know which data is most sensitive.
2. Select the minimum baseline security controls—stronger controls are always better, but at least apply enough to cover your digital assets.
3. Refine controls using a risk assessment procedure—just in case you need stronger controls for specific digital assets.
4. Document the controls in the system security plan—so that you evaluate periodically.
5. Implement security controls in appropriate information systems—now you should be protected!
6. Assess the effectiveness of the security controls once they have been implemented—monitor what happens on your network and record any breaches that occur.
7. Determine risk levels to the company mission and business cases—to plan for future enhancements to your security posture.
8. Monitor the security controls on a continuous basis—as new technologies emerge and more assets are deployed on your network, you may need new controls.

NIST has developed several standards, guidelines, and other publications that federal agencies must follow to implement FISMA and to manage cost‐effective programs that protect digital assets. The guidelines can be leveraged by your business as well. Check out NIST publications like the 800‐series as well as NIST FIPS 199 and FIPS 200. Collectively, they can help build a detailed a risk‐based security framework to assess, select, monitor and document the security controls for all of your IT systems.

Managed File Transfer Plays Key Role in Compliance

One of the critical tools to have in your back pocket for IT security and regulatory compliance is managed file transfer. Since security controls are needed to ensure the secure delivery and storing of sensitive government data, a MFT solution like MOVEit will be essential to compliance. A robust MFT solution will offer the highest level of encryption and also provide automated workflows to ensure business continuity and efficiency. MOVEit is easy to deploy and offers a series of different options depending on your business needs. Progress’ MOVEit offers separate SaaS, cloud, and on-premise solutions.