Conducting business or evaluating opportunities where FISMA is required? Navigating the complexities of a FISMA authorization is challenging, especially because each agency interprets the requirements differently.
Fortreum team members can advise or independently assess your IT service offering. With experience implementing FISMA requirements since the law was signed in 2002, we can help guide you through the process.
The first step to preparing for a FISMA assessment is to perform a gap assessment to identify where you are in preparation to meet the strict requirements. This gap will cover a variety of topics, including:
Preparing for FISMA is no small undertaking. If one has not gone through a regulatory compliance assessment before, it may take some time to develop the suite of documentation to provide to the assessors. Fortreum team members are well versed in FISMA requirements at respective agencies and can help support you in this development activity.
An independent assessment is required to validate the security posture of the IT service. This can be performed by the agency themselves, or via an independent third party such as Fortreum.
Obtaining a FISMA authorization step one, but maintaining it requires continual support. Each agency performs continuous monitoring a little differently, including taking it completely in-house or outsourcing it entirely to the service provider.
Fortreum has enterprise grade experience with the right blend of technical and analytical experience to support your cybersecurity and cloud needs.
We’re happy to share our insights and work with you to fast-track your CMMC Certification.
FISMA sets the stage for establishing a strong security program, one centered around ensuring your baseline inventory, configuration management, patch management and vulnerability management regularly. Once the program is established, it is then validated by an independent assessment and authorized by the government authorizing official.
Unlike FedRAMP, there is no standard process for FISMA compliance. Yes, the requirements are set forth in NIST SP 800-53, but each federal agency can tailor the baseline set of security controls and develop its own templates and process for testing. Fortreum recommends obtaining these process updates and templates upfront to further support a successful authorization journey.
Through its many engagements, Fortreum has that the vast majority of findings are from missing patches or improper configurations. Many of these findings are uncovered during a credentialed vulnerability scans. Fortreum always recommends one be performed to provide both the vendor and government confidence that the IT service is protected from known vulnerabilities.
Each federal agency is unique and each IT service that is leveraged must be assessed and carried under that agency’s FISMA authorization boundary. This means for every federal customer you do business with, your organization will undergo an assessment, even if it’s the same offering in a different federal agency.
Similar to how federal agencies can lose funding for failing to align to FISMA requirements, federal contractors may be stripped of its federal contracts and be prohibited from bidding on future opportunities. Since FISMA is a law, it is mandatory. There is no way around it and something that must be performed if you want to sell IT services to the federal government. Proper planning around implementing security into the early lifecycle of the IT service will alleviate concerns from the government and allow for proper authorizations.
Stay informed with our Industry Compliance Roadmaps, Technical Testing, Interviews and Resources to help you simplify cybersecurity and compliance.
