Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more
Blog Privacy & Compliance

What is FISMA Compliance? Regulations and Requirements

FISMA is the federal government’s security requirements. If you work for on with a federal agency read on to learn how to get (and stay) compliant.
Michael Buckbee
3 min read
Last updated February 25, 2022

Contents

    FISMA stands for the Federal Information Security Management Act, which the United States Congress passed in 2002: it requires federal agencies to implement information security plans to protect sensitive data.

    FISMA compliance is data security guidance set by FISMA and the National Institute of Standards and Technology (NIST). NIST is responsible for maintaining and updating the compliance documents as directed by FISMA. More specifically, NIST:

    Get the Free Essential Guide to US Data Protection Compliance and Regulations

    • Sets minimum requirements for information security plans and procedures.
    • Recommends types of security (systems, software, etc.) that agencies must implement and approves vendors.
    • Standardizes risk assessment process and sets varying standards of information security based on agency risk assessments. Each agency has different levels of security requirements: the National Security Agency and Housing and Urban Development, for instance, have different risk levels and therefore different security requirements.

    Why was FISMA Created?

    FISMA was created to require each federal agency to develop, document, and implement a complete information security plan to protect and support the operations of the agency. FISMA is one article in a larger piece of legislation called the E-Government Act, which recognizes the importance of information security to the economic and national interests of the United States.

    Congress amended FISMA in 2014 in the Federal Information Security Modernization Act. The amended legislation provided several modifications to the original law that brought FISMA in line with current information security concerns. Agencies are now encouraged to use more continuous monitoring and focus on compliance than what was required in the previous legislation.

    Who Needs to Follow FISMA Compliance?

    Originally, FISMA only applied to federal agencies. Over time, the law has evolved to cover state agencies that manage federal programs (i.e., Medicare, Medicaid, unemployment insurance, etc.) as well as companies with contracts to work with federal agencies.

    That means private sector companies that do business with federal agencies must adhere to the same information security guidelines as the federal agency.

    How Do I Become FISMA Compliant?

    To be FISMA compliant you need to information security controls across your organization based on the guidance from NIST. Several publications encompass the FISMA guidelines: a good place to start is NIST 800 – 53. You’ll also want to read up on NIST 800 – 171, FIPS 199, FIPS 200, and the other NIST 800 –xx documents.

    In general, following the basic data security principles in the Varonis Operational Journey will help get you FISMA compliant (minus the physical space controls, of course).

    FISMA requirements include the following:

    • Information System Inventory: FISMA requires every agency to maintain an inventory of all systems and their integrations in use.
    • Risk Categorization: FIPS 199 documents how an agency categorizes their risk and security requirements. Each agency is responsible for maintaining the highest level of security necessary per this document.
    • System Security Plan: FISMA requires that each agency have a security plan in place and a process to make sure the plan is updated regularly.
    • Security Controls: NIST 800-53 defines 20 security controls that each agency must implement to be FISMA compliant.
    • Risk Assessments: Any time an agency makes a change to their systems, they are required to perform a three tiered risk assessment using the Risk Management Framework (RMF).
    • Certification and Accreditation: FISMA requires each agency to conduct yearly security reviews. Agencies must demonstrate they can implement, maintain, and monitor systems to be FISMA compliant.

    FISMA requirements

    FedRAMP Program

    The Federal Risk and Authorization Management Program (FedRAMP) is a new government program that standardizes how agencies can validate cloud-computing services for FISMA compliance. Agencies are looking to cloud-computing options for cost savings – and FedRAMP provides guidance on how to manage risk and validate the cloud services for use by federal agencies.

    Any software vendor that wants to work with US government agencies should look into the FedRAMP authorization programs.

    FISMA Compliance Benefits

    Achieving FISMA compliance increases an agencies’ data security, protects citizens’ private data, and reduces IT related cost to the federal government.

    Private sector companies in the current data security climate should implement FISMA compliant solutions for their own data security. Companies have to be FISMA compliant to work with federal agencies, and they get the added benefit of protecting their data from breaches.

    Penalties for FISMA Compliance Violations

    The loss of federal funding is one of the biggest potential penalties for FISMA compliance violations. For an agency that could be detrimental, but if you are a federal contractor that could be the end of your company.

    Other non-monetary penalties could be a loss of reputation due to data breaches and bad press – or even missing out on future federal project bid opportunities. If you depend on federal funds for your company’s ongoing revenue, you need to be FISMA compliant.

    FISMA Compliance Best Practices

    • Implement a comprehensive data security plan to classify data, monitor activity, and detect threats to your sensitive data.
    • Stay current with any changes to the FISMA standards.
    • Keep documentation of your FISMA compliance efforts.
    • Encrypt everything: data encryption is a FISMA requirement.

    FISMA compliance best practices

    Any organization – regardless of federal government involvement – will benefit from a FISMA compliance program. The EU passed GDPR, and there is new legislation in Congress today that redefines PII, and requires annual data risk reports. Privacy and data protection laws are coming to the United States, and it’s a good bet that FISMA will influence those laws. If you don’t have a data security strategy in place, you need to get planning now.

    A Varonis Risk Assessment is a great place to start your FISMA compliance journey. Varonis will highlight risks on sensitive data, monitor your data (one of the FISMA requirements) for potential cyberattacks, and more.

    Begin your FISMA compliance journey with a free Varonis Risk Assessment.

     

    What you should do now

    Below are three ways we can help you begin your journey to reducing data risk at your company:

    1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
    2. Download our free report and learn the risks associated with SaaS data exposure.
    3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
    Michael Buckbee
    Michael Buckbee Michael has worked as a sysadmin and software developer for Silicon Valley startups, the US Navy, and everything in between.

    Try Varonis free.

    Get a detailed data risk report based on your company’s data.
    Deploys in minutes.
    Get started View sample

    Keep reading

    Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

    how-has-ransomware-impacted-the-us-government?
    How has Ransomware Impacted the US Government?
    how-has-ransomware-impacted-the-us-government?
    Michael Buckbee
    May 23, 2016
    Ransomware crimes have been soaring this year. It has stalled the operations of not only hospitals and businesses, but also the US government – federal, state and local governments, law enforcement...
    government-community-cloud:-primer-on-gcc-high,-gcc-and-dod
    Government Community Cloud: Primer on GCC High, GCC and DOD
    government-community-cloud:-primer-on-gcc-high,-gcc-and-dod
    David Harrington
    June 9, 2021
    Internal federal teams -- as well as external contractors -- need to secure sensitive data in the cloud. Enter the Government Community Cloud (GCC).
    understanding-canada:-ontario’s-new-medical-breach-notification-provision-(and-other-canadian-data-privacy-facts)
    Understanding Canada: Ontario’s New Medical Breach Notification Provision (and Other Canadian Data Privacy Facts)
    understanding-canada:-ontario’s-new-medical-breach-notification-provision-(and-other-canadian-data-privacy-facts)
    Michael Buckbee
    July 27, 2016
    Remember Canada’s profusion of data privacy laws? The Personal Information Protection and Electronic Documents Act (PIPEDA) is the law that covers all commercial organizations across Canada. Canadian federal government agencies,...
    how-the-moveit-vulnerability-impacts-federal-government-agencies
    How the MOVEit Vulnerability Impacts Federal Government Agencies
    how-the-moveit-vulnerability-impacts-federal-government-agencies
    Megan Garza
    June 29, 2023
    Our latest State of Cybercrime episode examines the MOVEit vulnerability and its impact on victims, including federal government agencies.