FISMA compliance is a fact of life for federal agencies. However, many agencies aren’t meeting regulatory requirements with their cloud computing services.

• What is FISMA?
• How to Achieve FISMA Compliance
• FISMA Cloud Compliance Has Holes
• The FISMA-Compliant Cloud

What is FISMA?

The Federal Information Security Management Act (FISMA) was passed by U.S. Congress to create a management structure in order to safeguard federal data, systems, and properties against environmental disasters, cyberattacks, and human error. FISMA was a piece of the Electronic Government Act of 2002.

FISMA gives certain agencies regulatory powers to maintain data security throughout federal systems, explained Margaret Rouse in TechTarget. “The act requires program officials, and the head of each agency, to conduct annual reviews of information security programs,” she said, “with the intent of keeping risks at or below specified acceptable levels in a cost-effective, timely and efficient manner.”

How to Achieve FISMA Compliance

The National Institute of Standards and Technology (NIST) outlines the process to meet and maintain FISMA compliance:

1. Using the security category definitions from FIPS 199, figure out what the impact level is for the data you want to secure.
2. Determine the basic mechanisms that are necessary.
3. Further improve your security stance with a vulnerability analysis.
4. Record the various controls that you determine must be in place.
5. Deploy whatever tools and strategies are necessary in a test setting.
6. Explore how well the systems you adopt are working.
7. Calculate the risk associated with implementation and the argument for it.
8. Confirm that the system is ready for live deployment.
9. Perform ongoing tracking – continuous monitoring – of the protections you implemented.

FISMA Cloud Compliance Has Holes

Federal agencies rely on outside IT organizations that manage infrastructure for them, many of which are cloud computing environments.

Agencies are always doing everything necessary to make sure that the IT systems they have in place, especially cloud ones, are completely aligned with federal code. While agencies do in some cases have procedures in place to control relationships with service providers, they often don’t meet all requirements — as indicated by the 2014 Congressional report on FISMA, made available to the public in February.

In fact, more than half of the agencies that have service provider systems in place were not meeting all the stipulations of FISMA, said Nicole Blake Johnson of FedTech Magazine. “Of the 17 inspector generals who reported that their departments have programs in place to manage contractor systems,” she wrote, “only eight IGs said those programs had all the required elements.”

The departments weren’t specifically named in the report, but the nine other inspector generals admitted that their contractor programs were not aligned with one or more of these three aspects of the federal law:

1. Four departments said that they did not get proper verification that their safeguards had been adopted correctly for security and compliance.
2. Three departments had not put together a comprehensive inventory of their IT environments by outside parties in the public cloud and elsewhere.
3. Six departments had data in public cloud and other contractor-managed environments that didn’t qualify as compliant with NIST parameters, Office of Management and Budget (OMB) policy, and FISMA.

FISMA compliance is based in part on these other elements of the federal security rules, especially NIST.  “NIST standards are the foundation for the government’s Federal Risk and Authorization Management Program (FedRAMP),” said Johnson. “The program standardizes security assessment, authorization and continuous monitoring of cloud solutions used in the government.”

The report additionally mentioned that some departments are not properly outfitted or staffed to be able to monitor risk within cloud systems – but that FedRAMP exists to address that weakness. Once FedRAMP confirms an agency’s system, continuous monitoring is initiated – but continuous monitoring must be backed up by vendor practices (practices that effectively make them FISMA-compliant).

Every 30 days, FISMA-compliant providers must complete vulnerability scans. If anything is amiss, it must be fixed within 30 days. Previously, quarterly assessments were allowed in some cases, but everything is now monthly to coordinate the FedRAMP system with that of the Department of Homeland Security.

Although some agencies are not abreast with requirements, 81 agency systems are now FedRAMP compliant. 26 agencies said that they have used “provisional authority to operate” documentation by FedRAMP to determine vendor compliance.

“It isn’t clear how many systems are required to meet FedRAMP standards,” Johnson explained, “but one of the program office’s top priorities this year is increasing stakeholder engagement, including the number of agencies implementing FedRAMP.”

Public cloud and other systems offered by service providers currently represent 8.5% of the federal computing budget, per the White House’s 2016 budget proposal.

Along with continuous monitoring, other elements of FedRAMP’s mission include automation of its documentation (to speed deployment) and updating its guidelines to support developments in cloud systems.

The FISMA-Compliant Cloud

Want FISMA-compliant cloud?

At Superb, we deploy a defensive, in-depth approach that extends from the physical to the network and system layers, utilizing security technologies and best practices that meet or exceed NIST 800.53 rev3.

By Kent Roberts