Are you in charge of confidential government data? Learn how FISMA certification is important to the functionality of your information systems.

Everything You Need to Know About FISMA Compliance

Data breaches, especially when they occur on government websites, can cause severe security risks. People’s identities can get stolen, finances can go missing, or sensitive government information can fall into the wrong hands. To minimize security concerns, organizations that handle federal data have to abide by strict security protocols.

The policies and regulations fall under the umbrella of FISMA, short for Federal Information Security Management Act. FISMA is an act of Congress that passed in 2002 and covers a wide range of electronic data storage methods.

All agencies that handle federal data must be FISMA compliant, with the protocols outlined by the National Institute of Standards and Technology (NIST).

Who Needs to Become FISMA Compliant?

Any agency that handles information at the federal, state or local levels must achieve FISMA compliance. Otherwise, they are not allowed to operate as data storage centers. As we’ll discuss below, different factors contribute to whether an organization can be classed as compliant.

How is FISMA Compliance Measured?​​​

Periodically, your organization will undergo a FISMA Department of Homeland Security audit to ensure that the IT security team is following all the measures of the initiative. Nine components make up the core of FISMA risk management, per the NIST:

  • Proper categorization of information systems according to security levels and the sensitivity of the information, following principle of least privilege
  • Setting minimum access controls for any information on systems or networks, regardless of security clearance. This could include restricted user access, password locks, or encryption.
  • Adding extra measures as needed to protect extremely sensitive data
  • Ensuring that the IT team maintains security checklist documentation for all steps of the testing and implementation process
  • Ensuring that security measures outlined in the risk assessment plan are consistently implemented
  • Regular testing of security measures for effectiveness, such as looking for potential backdoors into a system.
  • Accurate determination of risk factors such as availability, integrity, and confidentiality of data
  • Bringing the information systems online with the installed security measures
  • Monitoring controls on a regular basis; at least once per year, then three years for a full refit and recertification
  • Asset vs. Threat vs. Risk

    In IT security, the term “asset” refers to anything you’re trying to protect. This can be an employee workstation, a network server, a Website, or any sensitive information contained on any of these devices. Asset protection under FISMA primarily refers to the physical devices on which information is stored.

     The term “threat” refers to any action that can occur that would compromise the security of information systems. Threats occur internally via mismanagement of resources, or externally by malicious intent. Categorizing threats and potential vulnerabilities is a part of risk analysis.

     The word “risk” refers to both the severity of consequences and the likelihood of a data breach. If a computer system has up-to-date multi-factor security protocols but contains top secret information about, for example, federal employee Social Security numbers, it would be considered at high risk.


    Photo from

    Minimum Security Standards

    The security standards for information systems and facilities are outlined in the document NIST 800-53r5. This document outlines 20 aspects of security, as well as best practices when implementing measures.

     Some of these areas include Access Control, which determines who has access to particular information; Contingency Planning, which includes measures taken in the event of a breach; Media Protection, including strategies to protect computers; Personnel Security, involving employee credentials; and Maintenance, which entails keeping systems up to date.

     It is up to your organization to ensure that all practices outlined in 800-53r5 are upheld to the letter. It’s also important to realize that there is no such thing as no risk. However, when the FISMA audit occurs, you need to ensure your organization falls within acceptable risk levels. Every risk factor gets outlined and categorized according to priority in the NIST 200.

     The biggest security threats to watch out for are insufficient data protections and unencrypted Websites. Government websites, as well as anything dealing with private financial data, should always have SSL 128-bit or 256-bit encryption. Encryption ensures that even if data packets get intercepted, the would-be hacker would need the encryption key to make use of it.

     Protection of data occurs at all levels of your organization. Information should be accessible on the principle of least privilege. This means that user account controls only allow users access to the files they need to perform their jobs. This also includes the ability to read, write, and modify data only as required by the job.

     Another security factor to consider is outside user access. Wi-Fi connections should have WPA2 security with 128-bit encryption. Employees should not be allowed to access data from an outside device, nor should outside devices be allowed to store sensitive data.

     Servers and sensitive systems should also be physically protected. Users should implement screensaver password locks, regular password changes, failed login attempt alerts, and privacy filters, among other measures. Passwords need to have strong requirements that lessen the likelihood of unauthorized access.

     Implementing login attempts prevents brute-forcing passwords; i.e., 1111, 1112, 1113 ..., and creating strong alphanumeric passwords with symbols prevents someone from employing a dictionary attack that involves guessing random words that might be important to the user.

     Large equipment should have restricted access; for example, people seeking access should have a valid company ID with appropriate access permissions. In this vein, employees always need to undergo full security training and re-education periodically.

    Types of Information

    FISMA breaks down information into four categories:mission-based services, methods of delivery, support systems for delivery, and management of government resources. It also aids in the categorization of security risks as low, medium or high for confidentiality, integrity, and availability. You can get the full details in NIST SP 800-60, but here’s a basic definition of the three parameters:

     Confidentiality refers to controlled access to information, which is accessible on a need-to-know basis.

     Integrity refers to the stability of data. In other words, it should not be able to undergo modifications or destruction without prior approval. This becomes essential for the duration of how the medical records need to be kept.

     Availability refers to the assurance that data will be accessible to all who need it. Websites, for example, will stay active and experience a minimum of downtime.

     Different types of information come with different security risks. For example, if a website in the Department of Social Services goes down, citizens may not be able to access their benefits page, causing serious inconvenience.

     Similarly, if a Citizen Protection website suffers a confidentiality breach, someone’s life could be in danger because of a potential criminal finding a witness and seeking reprisal.

    Getting FISMA Certification

    In order to achieve FISMA compliance, your organization needs to undergo a review and accreditation process, which you can read about in the NIST SP 800-37 document. There are four steps to getting certified and receiving accreditation, often abbreviated as C&A.

     First, the Information System Security Officer makes a formal declaration of intent to pursue FISMA compliance for a set of systems. Then, they assemble a task force and begin cataloging and identifying security hazards. The team drafts a document called POAM1, or Plan of Actions and Milestones. It is a part of the System Security Plan.

     You can also hire an external security consultant team to run through the checklist. It can be good to have a fresh set of eyes; they may notice a crucial detail you missed.

     After the steps outlined in the POAM1 have been implemented, the team submits a qualification packet to the FISMA certifying authority. Auditors conduct tests to verify the site security. This is a thorough and lengthy process because it includes system tests, physical inspections of the facility, and interviews with employees to determine knowledge and training.

     The Certification Authority will provide a final decision after the audit. If you aren’t ready, they provide a detailed report, including the areas that need improvement. As we’ve said, you aren’t expected to be perfect. You only have to maintain an acceptable low-risk factor. If your risk factor is acceptable, you receive an ATO, or Authorization to Operate.

     This authorization remains valid for three years, after which you must recertify. During the three-year period, continue to research and upgrade your security protocols when able and when it is feasible to do so. This implies that the data storage growth projections are actually skyrocketing.

     During the three-year interval, you should consistently monitor and maintain your security measures. Document changes, as well as any attempted or successful breaches. Also,  keep a record of how the breaches were addressed and how you intend to prevent them in the future.

    Final Thoughts on FISMA Compliance

    To have the best chance of retaining your FISMA compliance, you should diligently study the safety and security guidelines outlined in the 800-53 document; You may not be able to implement all measures. To determine where your priorities should lie, create a detailed inventory of all information systems in your facility and the data they contain.

     If you ensure that your data meets confidentiality, availability, and integrity standards across the board, your data center will be secure and able to function effectively. Ultimately, medical records management becomes an integral part of data security.

    Pin It on Pinterest

    Share This