Apr 28, 2020
Difference between FISMA vs FedRAMP Compliance
For Cloud Service Providers (CSPs) and organizations intending to work with United States Federal Government agencies that process and store government data, obtaining proper certification is essential. The two most important certifications are the Federal Risk and Authorization Management Plan (FedRAMP) and the Federal Information Security Management Act (FISMA).
FedRAMP is a security certification for CSPs that provide cloud services to federal agencies. FISMA is a related certification that requires federal agencies and contractors to meet information security standards. Both standards share security guidelines as identified by the National Institute of Standards and Technology's: Special Publication 800-53 (NIST SP 500-83). They also have several differences such as the authorization process and who the framework applies to.
What is FISMA?
FISMA is the Federal Information Security Management Act, first enacted in 2002. It contains compulsory requirements for the security of government information systems, that also apply to third-party service providers.
A fundamental requirement of FISMA was a risk management focused approach to information security. FISMA was updated in 2014, pivoting from constant reporting to threat monitoring, while compliance and reporting breaches shifted to scheduled audits. The update also gave the Department of Homeland Security responsibility for overseeing FISMA implementation.
Who Needs FISMA Compliance?
While FISMA compliance is mandatory for government agencies and contractors, its risk management approach is beneficial to any organization that needs protection from cyber threats. The regulatory requirements in FISMA represent industry best-practices that better prepare organizations to address risks and respond to breaches.
What is the FISMA Compliance Process?
The National Institute of Standards and Technology (NIST) produced the security guidelines outlined in FISMA. Vendors being evaluated against FISMA are categorized in accordance with the Standards for Security Categorization of Federal Information and Information Systems (FIPS-199) for low, moderate or high impact. Companies must then implement the recommended information security controls as defined in NIST SP 800-53 which can be assessed by a government agency or third parties.
The process for obtaining FISMA compliance consists of the following stages:
Information system inventory: organizations must keep a list of all information systems in use and identify how these systems are integrated within their network
Risk categorization: organizations must categorize information in order of risk to ensure that sensitive information is given the highest level of security
System security plan: organizations must keep a security plan which is regularly maintained and updated
Security controls: NIST SP 800-53 contains 18 categories of security controls that can be implemented for FISMA compliance. Organizations are only required to implement controls that are relevant to their systems
Risk assessments: organizations are required to assess risks at the organizational level, business-process level, and information system level
Certification and accreditation: compliant organizations are accredited and subject to annual reviews to retain accreditation
What is FedRAMP?
FedRAMP is a security certification for CSPs that want to provide cloud services to United States government agencies. To become certified, CSP's must follow the information security framework when creating or adapting your existing mitigating processes, which we call controls.
FedRAMP certification can be extremely beneficial for CSPs as it provides access to highly desirable government contracts. While the requirements are stringent, once a CSP is FedRAMP certified, it can work with multiple agencies without repeating the certification process.
There are two categories of FedRAMP certification: Provisional Authority to Operate (JAB-PATO) and an Agency Authority to Operate (ATO). JAB-PATO is more stringent and authorizes a CSP to work with any government agency. ATO is less stringent and is suitable for CSPs that intend to work with one or two agencies.
There are three main steps for CSPs to obtain FedRAMP or JAB-PATO or ATO certification once they have been pre-authorized:
Document: the compliance process starts with a CSP categorizing its services in accordance with NIST's publication: FIPS-199, into low, moderate or high impact. CSPs are then required to produce a System Security Plan (SSP) that describes how it meets the required controls as defined by NIST SP 800-53.
Asses: a third-party assessment organization (3PAO) designs and conducts a security assessment plan to test the CSP's security controls. The CSP then creates a Plan of Actions & Milestones (POA&M) based on the assessment's findings
Authorize: the agency or agencies intending to use the CSP's services review the 3PAO's security assessment report and approve the potential risk associated with the system and grant either an ATO or JAB P-ATO. Companies are then listed in the FedRAMP Marketplace as authorized vendors
What's the difference between FedRAMP & FISMA?
Information systems undergoing FedRAMP or FISMA compliance are both categorized in accordance with the impact levels outlined in FIPS-199 and were both developed as information systems security standards from NIST guidelines. They do, however, have several differences, including the required controls and authorization process.
FISMA compliance requires vendors to implement minimum recommended information security controls as defined in NIST SP 800-53. Vendors evaluated under FedRAMP controls have defined specific requirements for each control that a CSP must implement.
FISMA assessments are performed by government agencies or third parties while FedRAMP must be performed by a 3PAO.
The JAB adopted a "do once, use many times" authorization method for FedRAMP compliance, meaning certified CSPs can work with multiple agencies without repeating the certification process.
All federal agencies, departments and contractors are required to be FISMA certified while FedRAMP certification is only required for organizations that provide cloud-based services to government agencies.
Managing FedRAMP and FISMA Compliance
GRC tools can be used to make FedRAMP and FISMA compliance significantly easier to obtain. GRC tools integrate with existing systems and tools to manage compliance-related tasks from a single platform. This allows controls and documentation to be managed from a single data source to streamline the process and ensures up-to-date information is on-hand.
Compliance reports can be generated at will so you can allocate your valuable time, allowing gaps to be addressed before a breach occurs. Most GRC tools can manage multiple compliance standards at the same time and are compatible with a wide range of systems.
How To Determine Which Information Security Risk Compliance You Need
Compliance with United States federal government standards like FedRAMP and FISMA require significant investment but grants access to sought after government contracts. As FISMA is based on a best-practice risk management approach, certification can be valuable to any organization that needs to manage information security risks.
Using a centralized GRC tool, the time and cost of becoming FedRAMP and FISMA compliant can be significantly reduced through the automation of compliance-related tasks and reporting.