FISMA Compliance and Regulations
Our Lawyers and Consultants Assist Government Contractors with All Aspects of FISMA Compliance
The Federal Information Security Modernization Act (FISMA) is a federal statute that establishes cybersecurity requirements for entities operating at the federal level. As the U.S. Cybersecurity & Infrastructure Security Agency (CISA) explains:
“The Federal Information Security Modernization Act (FISMA) of 2014 (44 U.S.C. § 3554) requires the head of each Federal agency to provide information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems.”
But, federal agencies aren’t the only ones responsible for FISMA compliance. Federal government contractors need to comply with FISMA as well. Generally, contractors are held to the same standards as federal agencies when it comes to protecting government data. Contractors that fail to adequately protect government data can face steep penalties; and, as a result, they need to make FISMA compliance a priority.
Why Federal Government Contractors Choose Oberheiden P.C. for FISMA Compliance
At Oberheiden P.C., we assist federal government contractors in all industries with FISMA compliance. We bring significant experience to the table, and we offer deep insights that help our clients understand their cybersecurity obligations as well as the risks of non-compliance. Here are just some of the reasons why contractors choose our team to help them meet their statutory and regulatory cybersecurity requirements:
- A Team of Senior Lawyers and Consultants – Our team is made up entirely of senior-level lawyers and consultants, many of whom bring several decades of experience to the table. Not only do we thoroughly understand all aspects of FISMA compliance, but we understand the practicalities of implementing compliant cybersecurity solutions as well.
- Prior Federal Government Experience – Most of our lawyers and consultants have significant prior experience working within the federal government. This includes prior experience working as U.S. Attorneys, Assistant U.S. Attorneys, and Special Agents-in-Charge with the DOJ, FBI, Secret Service, and other agencies.
- Nationwide Capabilities and Reach – Our federal compliance practice is nationwide in scope. We have the technological capabilities required to efficiently represent federal government contractors in all 50 states, and our network of lawyers and consultants includes professionals with offices in major cities across the country.
- Custom-Tailored Compliance Solutions – We offer truly custom-tailored solutions to our clients’ FISMA compliance needs. Too often, cybersecurity consulting firms offer cookie-cutter programs that they modify slightly to address certain unique technical aspects of their clients’ information systems. At Oberheiden P.C., we build our clients’ FISMA compliance programs from the ground up to ensure that we are thoroughly addressing all pertinent requirements.
- Full-Service Legal Counsel for Federal Contractors – In addition to handling FISMA compliance, we assist federal contractors in all other areas as well. We serve as outside general counsel for many of our federal contractor clients, handling matters ranging from government contract compliance to cybersecurity incident response and qui tam litigation.
7 Core Areas of FISMA Compliance
There are numerous aspects to FISMA compliance. To establish compliance, federal government contractors must adopt comprehensive policies and procedures, and they must implement physical and logical security controls that satisfy the complex and highly technical requirements set forth in the FISMA regulations.
Broadly speaking, however, we can break down FISMA compliance into seven core areas. When we represent federal contractors regarding FISMA compliance, we work closely with our clients’ executives and IT specialists to ensure that we are offering solutions in each of these core areas that our clients can implement effectively on a company-wide basis:
1. IT System Inventory
Under FISMA, federal government contractors must maintain an inventory of all IT systems and their integrations in use. This includes an inventory of all interdependencies between internal IT systems as well as all interdependencies with third-party systems and platforms (i.e., cloud storage platforms) beyond federal contractors’ control. While this might initially seem fairly straightforward, it can quickly become complicated, and establishing a comprehensive inventory is a foundational step toward effective FISMA compliance.
2. Data and Systems Categorization According to Risk Level
Federal government contractors must categorize their IT systems and all government data in their custody according to risk level. Typically, contractors will need to place their IT systems into one of three categories:
- Low-Impact – Low-impact systems are those that do not house sensitive government data that requires safeguarding.
- Moderate-Impact – Moderate-impact systems house sensitive government data that require safeguarding, but which would not present a national security threat or other grave risk in the event of malign access or theft.
- High-Impact – High-impact systems house government data for which malign access or theft presents a national security risk or other grave threat to the U.S. government.
These categories are established in the National Institute for Standards and Technology’s (NIST) guidelines set forth in NIST Special Publication 800-60, entitled “Guide for Mapping Types of Information and Information Systems to Security Categories.” Federal contractors need to strictly comply with the system and data categorization requirements in NIST SP 800-60, among the various other NIST guidelines that apply.
3. System Security Plan
Federal contractors that are subject to FISMA compliance must establish a System Security Plan (SSP) that complies with all pertinent guidelines and regulations. Even if a federal contractor has a cybersecurity program in place currently, it cannot assume that this program will qualify as a compliant SSP. Among other requirements, an SSP must include a Plan of Action and Milestones (POA&M) developed in accordance with NIST guidelines.
4. Implementation of Security Controls
Once a federal government contractor develops a compliant SSP based on its inventory and categorization of all relevant IT systems and data, it must implement the security controls outlined in the plan. While this may involve complying with the FIPS 200 “Minimum Security Requirements for Federal Information and Information Systems,” heightened security controls will be necessary in many cases.
5. Cybersecurity Risk Assessments
Federal contractors must conduct multi-layered cybersecurity risk assessments any time they modify their IT systems or change their data storage environments. They must also have protocols in place to ensure that these risk assessments take place on a timely basis when necessary. The purposes of these risk assessments are twofold: (i) to determine if the contractor’s current SSP remains adequate in light of the modifications or changes; and, (ii) if the contractor’s current SSP is no longer adequate, to determine what additional security controls are necessary.
6. Certification and Accreditation
Federal contractors must meet various certification and accreditation requirements. These requirements provide for third-party validation of contractors’ SSPs and security controls. When seeking certification or accreditation, contractors need to be confident that they are ready, as failure to obtain certification or accreditation can lead to significant delays—if not present risks for maintaining the contractor’s business relationship with the federal government.
7. Continuous Cybersecurity and FISMA Compliance Monitoring
Finally, even outside of the mandatory cybersecurity risk assessments discussed above, federal government contractors must undertake continuous efforts to monitor their cybersecurity programs and maintain FISMA compliance. Contractors should conduct internal audits and stress test their systems regularly, and they should promptly address any new risks or other developments as they arise.
This is an extremely high-level overview of what it takes for federal contractors to maintain FISMA compliance. Establishing an effective FISMA compliance program is a time-intensive and resource-intensive process, and federal contractors must be prepared to commit to establishing compliance before taking sensitive government data into their custody. At Oberheiden P.C., we work with federal contractors to comprehensively address FISMA compliance, and we make sure our clients have the tools, systems, and protocols they need to meet their federal obligations—and to prove that they are meeting their federal obligations when necessary.
FAQs: What Do Federal Government Contractors Need to Know about FISMA Compliance and Regulations?
What Are the Benefits of FISMA Compliance for Federal Government Contractors?
FISMA compliance is mandatory for federal government contractors that have access to sensitive government information. As a result, contractors will often need to establish compliance prior to or during the bidding process, and they will need to demonstrate ongoing compliance to maintain their federal contracts.
What Are the Penalties for Non-Compliance with FISMA?
Federal contractors that fail to maintain FISMA compliance can lose their government business. If non-compliance results in a breach affecting sensitive government data, this can trigger enforcement action and ensuing penalties.
Do Federal Contractors Need to Engage Outside Counsel for FISMA Compliance?
Due to the challenges, complexities, and importance of FISMA compliance we strongly advise federal contractors to engage outside counsel. With the right outside counsel, FISMA compliance can be highly cost-effective, and it does not have to get in the way of winning, or doing, government business.
Will a Typical Corporate Cybersecurity Program Satisfy the FISMA Requirements for Federal Contractors?
No, most typical corporate cybersecurity programs will not satisfy FISMA’s requirements. To comply with FISMA, federal contractors must develop custom-tailored programs with their specific statutory and regulatory obligations in mind.
Speak with a Senior FISMA Compliance Lawyer or Consultant at Oberheiden P.C.
Is your company subject to FISMA compliance? If so, we can help you establish compliance and maintain compliance on an ongoing basis. For a complimentary initial assessment of your company’s cybersecurity needs, please call 888-680-1745 or request an appointment online today.