Building Risk-Awareness into the FISMA-Compliant Cloud (Part 1)


FISMA compliance requires ongoing monitoring that adapts as the threat landscape evolves. To stay vigilant with information security, monitoring must become dynamic, aware of emergent risks in near real-time.

  • NIST Risk Management Framework – 6 Steps
  • Cloud Ongoing Monitoring Plans – 6 Elements
  • FISMA-Compliant Partnership

In order to meet the requirements of the Federal Information Security Management Act, government agencies and cloud companies have to follow strict rules and parameters. One that requires refined best practices is the need for ongoing monitoring.

To standardize federal efforts and clarify how to maintain compliance, the FISMA recommendations published by the National Institute of Standards and Technology (NIST) contain a risk management framework that details how public-sector entities and technology services can monitor risk.

NIST Risk Management Framework – 6 Steps

The framework basically delineates how to set up a risk management apparatus and keep it rolling. NIST explains why focusing on risk is so important: “The management of organizational risk is a key element in the organization’s information security program and provides an effective framework for selecting the appropriate security controls for an information system—the security controls necessary to protect individuals and the operations and assets of the organization.”

There are six basic steps that can be taken to manage risk within your legacy systems, per the framework. Pay special attention to the sixth one:

Step 1 – Label

Conduct an impact analysis so you understand all possible negative consequences to particular parts of your infrastructure. Label each system and dataset in terms of that impact.

Step 2 – Choose

Determine what bare-minimum security tools should be used on that system because of the way you have labeled it. Choose appropriate tools, adding more if that seems wise according to your general risk analysis.

Step 3 – Deploy

Activate all mechanisms. Record how you installed the tools and put them into action.

Step 4 – Test

Test your system to make sure that all your protections are set up in the strongest, most coherent way.

Step 5 – Confirm

Sign off that the IT environment is safe to use following your evaluation of vulnerability, which extends from the agency’s own activities and resources to people, from additional agencies to the United States as a whole. A signature means that you have mitigated risk to an acceptable level.

Step 6 – Monitor

Finally, it is necessary to analyze the security tools that you have established for your IT infrastructure continually, says the NIST, so you can determine if your controls are working, record any adjustments, apply any impact analysis findings, and communicate security details to leadership as relevant.

Cloud Ongoing Monitoring Plans – 6 Elements

That final step deserves its own dedicated consideration, according to Veris Group cybersecurity consultant David Svec. “Continuous monitoring for FISMA compliance requires cloud providers to shift from a traditionally static approach to a cyclical, more dynamic strategy in order to provide the near real-time situational awareness they need to make evidence-based security decisions,” he explains, adding that awareness of moment-by-moment security creates stronger compliance with additional security standards, including PCI, HIPAA, HITECH, and SOX.

Ongoing monitoring is not really about taking notes on threats. It’s about continually tweaking and modifying security. To implement a strong ongoing monitoring plan for a cloud service, as we have, you must include administration, technology, instructional guides, assessments, documentation, and execution.


In order for ongoing monitoring to change appropriately given the context, general IT governance – establishment of accountability and responsibility – and administration are essential. These three components are necessary for sound management:

  • Ongoing monitoring plan – Cloud service providers (CSP’s) need to have a strategic plan that is verified by their top leaders and technology directors. The plan should state what specifically is done in order to perform regular analyses. The document itself should be reviewed periodically as well.
  • Integration – Cloud companies want for their monitoring to be meshed into general business operations via establishment of responsibility. “This approach allows the strategy to become an integrated and ongoing part of business operations — not a special add-on,” says “This reinforces the focus on real-time monitoring over point-in-time assessments.”
  • Action – To move forward in an organized fashion, CSP’s need to know exactly what they are going to do, which is why it’s important not just to document policies but procedures as well. Firms don’t just want to figure out how their systems can fail. Once they have assigned accountability for all aspects of monitoring, they have identified those who must lead remediation.

Careful, comprehensively documented administration allows you to continually monitor in a no-frills way that resolves issues efficiently and in the absence of confusion.


Figuring out what the best devices and applications are to maintain security is of course fundamental for CSP’s to succeed with ongoing monitoring. “A cost-effective approach is for cloud providers or agencies to take stock of their existing environmental sensors,” comments Svec, “and then determine what new security and reporting tools are required to provide the appropriate level of automation.”

FISMA-Compliant Partnership

Do you need a FISMA-compliant environment? At Superb Internet, our systems are based on security best practices that meet or exceed NIST 800.53 rev3 requirements – implemented at the physical, network, system, and operational/management layers. Learn more here.

NOTE: This is the first part of a two-part series. To read Part 2, please click HERE.

By Kent Roberts

Loading Facebook Comments ...
Loading Disqus Comments ...

Leave a Reply