FISMA

Conducting business or evaluating opportunities where FISMA is required? Navigating the complexities of a FISMA authorization is challenging, especially because each agency interprets the requirements differently.

Fortreum team members can advise or independently assess your IT service offering. With experience implementing FISMA requirements since the law was signed in 2002, we can help guide you through the process.

Why Choose Fortreum?

We simplify cloud and cybersecurity for our customers

Fortreum has enterprise grade experience with the right blend of technical and analytical experience to support your cybersecurity and cloud needs.

Get In Touch

We’re happy to share our insights and work with you to fast-track your CMMC Certification.

    Business Considerations

    FISMA is not just a paperwork exercise

    FISMA sets the stage for establishing a strong security program, one centered around ensuring your baseline inventory, configuration management, patch management and vulnerability management regularly. Once the program is established, it is then validated by an independent assessment and authorized by the government authorizing official.

    Agencies have different processes

    Unlike FedRAMP, there is no standard process for FISMA compliance. Yes, the requirements are set forth in NIST SP 800-53, but each federal agency can tailor the baseline set of security controls and develop its own templates and process for testing. Fortreum recommends obtaining these process updates and templates upfront to further support a successful authorization journey.

    Vulnerability Management is Key

    Through its many engagements, Fortreum has that the vast majority of findings are from missing patches or improper configurations. Many of these findings are uncovered during a credentialed vulnerability scans. Fortreum always recommends one be performed to provide both the vendor and government confidence that the IT service is protected from known vulnerabilities.

    Assessment re-use is not common

    Each federal agency is unique and each IT service that is leveraged must be assessed and carried under that agency’s FISMA authorization boundary. This means for every federal customer you do business with, your organization will undergo an assessment, even if it’s the same offering in a different federal agency.

    Why is FISMA important?

    FISMA applies to all government agencies – no exception. If a federal agency leverages an information system, that information system must maintain a security posture commensurate with the type of data it stores, processes, or transmits. Since the impact of a breach to a federal agency is so extreme, the US taxpayers deserve a sense of assurance that data in these information systems is properly protected. If an agency does not properly align to FISMA requirements, they have the potential to risk losing federal funding.

    Why should my organization care?

    Similar to how federal agencies can lose funding for failing to align to FISMA requirements, federal contractors may be stripped of its federal contracts and be prohibited from bidding on future opportunities. Since FISMA is a law, it is mandatory. There is no way around it and something that must be performed if you want to sell IT services to the federal government. Proper planning around implementing security into the early lifecycle of the IT service will alleviate concerns from the government and allow for proper authorizations.

    Recent Insights