FISMA Compliance
Our Lawyers and Consultants Have Extensive Experience in the Area of Private-Sector FISMA Compliance
FISMA Compliance Team Lead
Contact NickThe Federal Information Security Modernization Act (FISMA) is a federal statute that applies to federal agencies. Since private-sector companies working with the federal government are effective extensions of the federal agencies they serve, these companies must also address FISMA compliance. Regardless of industry standards and best practices, entities subject to FISMA must meet the statute’s extensive and stringent requirements, and this means working with a team of federal compliance lawyers and FISMA consultants who can help them do what is required.
Making Informed Decisions About FISMA Compliance
At Oberheiden P.C., we have extensive experience advising private-sector entities on all aspects of FISMA compliance. We also assist our clients with conducting FISMA audits to assess the efficacy of their compliance programs. If you have questions about FISMA compliance, our team can walk you through everything you need to know, and we can help your organization implement a compliance program and risk management practices that satisfy all pertinent federal requirements.
Effectively managing FISMA compliance in the private sector involves implementing cybersecurity safeguards, security controls, and related processes and procedures focused on protecting sensitive information. Beyond complying with the statute itself, organizations that are subject to FISMA must also comply with the applicable standards established by the National Institute of Standards and Technology (NIST). Pursuant to its authority granted under FISMA, NIST has released multiple publications that contain relevant standards, including FIPS 199, FIPS 200, and NIST 800.
10 Key Steps for Effective FISMA Compliance Management
Compliance with the federal cybersecurity standards under FISMA is complex, and this makes it essential to work with a team of FISMA lawyers and FISMA consultants who can help your organization implement an effective compliance program. Efforts to comply with FISMA must be custom-tailored to an organization’s specific risks and role with the federal agency to protect sensitive data it collects. With this in mind, while the following are some key areas of FISMA compliance, there is much, much more to effectively managing compliance on an ongoing basis:
1. Creating (and Maintaining) an Up-to-Date Inventory of Information Technology Systems
Federal contractors and other private-sector entities subject to FISMA must create (and maintain) an up-to-date inventory of their information technology systems. This inventory will help determine what subsequent steps are necessary and serve as the foundation for the organization’s FISMA compliance program. Since different systems present different risks, organizations must always keep their information technology system inventories updated and under continuous monitoring.
2. Categorizing Information Technology Systems Based on Risk Level
FISMA requires that covered entities categorize their information technology systems based on risk level. The appropriate risk level categorization (either low-impact, moderate-impact, or high-impact) will also play a critical role in determining what suggested security controls are necessary with regard to each individual information technology system in an organization’s technology environment.
3. Creating a System Security Plan
FISMA also mandates that covered entities create a System Security Plan (SSP). Creating an effective SSP requires working closely with experienced FISMA consultants who can assist with applying the relevant NIST standards (among others) based on an organization’s information technology systems and risk levels. This underscores a key aspect of FISMA compliance—it is both legal and technical in nature. Organizations not only need to understand what is required, but they also need to be able to implement protocols and safeguards and conduct annual security reviews to meet the relevant federal requirements.
4. Creating a Risk Assessment Plan
Along with creating an SSP, covered entities must create a Risk Assessment Plan (RAP). While the focus of an SSP is on avoiding risks, the focus of a RAP is on identifying security incidents when they arise. Even with an effective SSP in place—and even when organizations go above and beyond what is federally required—cybersecurity intrusions remain a constant threat. Having the protocols and procedures in place to identify potential sources of intrusions (and intrusions themselves) is essential not only for effective FISMA compliance management but also for general risk management.
5. Obtaining Necessary Certifications and Accreditations
Obtaining necessary certifications and accreditations for cybersecurity applications and other assets is another key component of FISMA compliance. At Oberheiden P.C., our lawyers help our clients understand what certifications and accreditations are necessary, and our FISMA consultants help our clients navigate the certification and accreditation processes.
6. Continuously Monitoring System Security Safeguards
Beyond putting system security safeguards in place, the federal authorities that enforce FISMA (including the U.S. Cybersecurity & Infrastructure Security Agency (CISA)) also expect covered entities to continuously monitor the efficacy of these safeguards on an ongoing basis. This underscores another key aspect of FISMA compliance—establishing compliance is not a one-time event, but rather an ongoing process that requires organizations to remain attuned to developing risks and respond to new risks as necessary.
7. Conducting Periodic FISMA Compliance Risk Assessments
One way covered entities can monitor the efficacy of their system security safeguards is by conducting periodic FISMA compliance risk assessments. Our FISMA lawyers and FISMA consultants work together to assess both the legal and technological sufficiency of our clients’ cybersecurity protocols in light of the applicable FISMA and NIST standards—and to provide advice on updates and improvements as necessary.
8. Responding Effectively to Cybersecurity Risks with FISMA Implications
Identifying cybersecurity risks is one thing. Responding effectively to these risks is another thing altogether. When cybersecurity breaches or other incidents threaten to compromise sensitive data in an organization’s technology environment, it is imperative that the organization immediately undertakes a structured and targeted response. Our lawyers and consultants provide assistance here as well, both in terms of developing incident response protocols and in terms of executing these protocols when necessary.
9. Documenting FISMA Compliance and Responding to Federal Inquiries as Necessary
Due to the substantial risks associated with FISMA noncompliance, CISA and other federal authorities take compliance very seriously. Not only do these authorities expect covered entities to comply with all pertinent statutory and regulatory requirements, but they also expect covered entities to be able to affirmatively demonstrate compliance upon request. With this in mind, thorough documentation is critical; and, as part of their incident response protocols, organizations should also have documented procedures for responding to inquiries of government agencies.
10. Monitoring for Updates to NIST and Other Standards
Due to the ever-evolving nature of cybersecurity, private-sector entities subject to FISMA must constantly address new risks. They must also frequently address new federal requirements. Updates to NIST and other standards can necessitate prompt updates to organizations’ FISMA compliance programs. Our FISMA lawyers and FISMA consultants monitor for federal updates on behalf of our clients so that they can promptly address new requirements and remain compliant.
Put our highly experienced team on your side
Dr. Nick Oberheiden
Founder
Attorney-at-Law
Lynette S. Byrd
Former DOJ Trial Attorney
Partner
Brian J. Kuester
Former U.S. Attorney
Hon. Kevin McCarthy
55th Speaker, U.S. House of Representatives (ret.)
Government Consultant
Mike Pompeo
Of Counsel
Former U.S. Secretary of State
John W. Sellers
Former Senior DOJ Trial Attorney
Linda Julin McNamara
Federal Appeals Attorney
Nicholas B. Johnson
Former Prosecutor
Roger Bach
Former Special Agent (DOJ)
Chris J. Quick
Former Special Agent (FBI & IRS-CI)
Michael S. Koslow
Former Supervisory Special Agent (DOD-OIG)
Ray Yuen
Former Supervisory Special Agent (FBI)
FAQs: FISMA Compliance in the Private Sector
Which Organizations Need to Comply with FISMA?
Organizations in the private sector that do business with the federal government may be subject to FINRA compliance. Crucially, even if an organization is subject to other statutory or regulatory cybersecurity requirements, it must still separately address the requirements established under FISMA—and it must be prepared to demonstrate FISMA compliance to federal authorities when necessary.
What Are the Metrics for FISMA Compliance?
As the U.S. Chief Information Officers Council explains, “FISMA metrics are aligned to the five functions outlined in NIST’s Framework for Improving Critical Infrastructure and Cybersecurity: Identify, Protect, Detect, Respond, and Recover.” However, while NIST’s Framework is one source of compliance guidance for organizations that are subject to FISMA, NIST compliance is not enough on its own.
Where Can I Find a FISMA Compliance Checklist?
While there are various FISMA compliance checklists available online, we strongly advise against using these checklists for several reasons. Most importantly, FISMA compliance demands a comprehensive and custom-tailored, and no generic risk management framework that will meet any particular organization’s needs. Our FISMA lawyers and FISMA consultants work with federal contractors and other organizations of all sizes to help them do what is required.
What is the Difference Between FISMA and NIST?
Under FISMA, covered entities must comply with various NIST standards. However, these are not the only standards that apply. Establishing and maintaining FISMA compliance requires a comprehensive approach focused on an organization’s specific risks and needs.
What Are the Risks of FISMA Non-Compliance?
For entities in the private sector, failure to comply with FISMA can result in loss of federal government business, either temporarily or permanently. FISMA violations can implicate various other federal requirements as well; and, as a result, can also lead to fines and other civil monetary penalties (CMP). At Oberheiden P.C., we help our clients avoid these consequences through a comprehensive and custom-tailored approach to FISMA compliance.
Speak with a FISMA Lawyer or FISMA Consultant at Oberheiden P.C. in Confidence
If you need to know more about FISMA compliance (or the risks of non-compliance), we invite you to get in touch. To speak with a senior FISMA lawyer or FISMA consultant at Oberheiden P.C. in confidence, give us a call at 888-680-1745 or tell us how we can contact you online today.
