FISMA / NIST
Federal Information Security Management Act (FISMA) and National Institute of Standards and Technology (NIST): FISMA / NIST Assessment and Authorization (A&A) has been the standard for accrediting Federal systems (aside from most of DoD) for quite some time.
The beauty of using NIST-based security publications within your organization is that they were created to be tailor-able and they make sense!
Struggling with compliance regulations, policies, requirements, guidelines, etc.?
NIST has broken the process into easy-to-follow steps – if you’re willing to dive into a world of NIST Special Publications, true enlightenment can be obtained. Or, just have 3fold help you out - we speak requirementese and can help you learn the letter of the law and understand the spirit of it.
What to expect for a FISMA / NIST Assessment:
Depending on the system’s categorization, the number of applicable security controls is in the 300-475 neighborhood. That sounds like a lot (and it is) but the NIST-based controls are written at an easy-to-follow level that translates directly to test cases – so there’s your silver lining.
You will definitely need your policies in place. Validators and Authorization Officials (AOs) want to ensure your policies are up-to-date and compliant with the selected security controls. Some organizations may have decent policies, some may not – but in either case, checking policies’ compliance with the 300-475ish controls is imperative.
Continuous monitoring of controls is required to ensure more of a blended, rather than historic hair-on-fire-every-three-years accreditation approach. This means you’ll have automated mechanisms to continuously verify and report compliance for a portion of your security controls and the rest will be grouped into one of three annual assessments so that the entire set of controls will be validated over the course of three years.
As for configuration settings for IT systems…it’s up to your Agency to determine those requirements. Your security baseline could be based on DoD guidance, it could be USGBC, it could be some other acronym that the AO likes. Ultimately, though, NIST gives the flexibility to weigh risk posture against rigor of locking down resources.
Since FISMA / NIST A&A is handled at the Agency-level, there is more room for customization / tailoring of the controls and the overall A&A process. This helps agencies enhance relevancy of the controls and foster standardization of systems. Since there can be Agency-specific nuances, discussions with the authorities should happen as soon as feasible – they’re there to help out and want everyone to succeed.
If you're looking to learn more about FISMA/NIST assessment, need to connect to a Federal system, want to sell to the Feds, or need an independent eye to review your system, shoot us an email.