Conducting Regular FISMA Audits is Essential for Federal Government Contractors. Our Lawyers and Consultants Guide Contractors Through the Audit Process
Federal government contractors that have access to sensitive data must continuously maintain compliance with the Federal Information Security Modernization Act (FISMA) and its enabling regulations. To ensure that their FISMA compliance programs are working, contractors must audit their System Security Plans (SSPs) and data security protocols on a regular basis.
At Oberheiden P.C., we represent federal government contractors in all FISMA compliance matters. This includes conducting FISMA audits. As former federal government attorneys and investigative agents, our lawyers and consultants are intimately familiar with FISMA’s requirements, and we offer deep investigative insights for conducting internal audits on behalf of federal contractors in all industries.
How We Conduct FISMA Audits for Federal Contractors
We take a comprehensive approach to conducting FISMA audits and use a systematic process to thoroughly assess the effectiveness of our clients’ FISMA compliance programs. When conducting any type of internal audit, comprehensiveness is key—as overlooking even a single issue can frustrate the purpose of the audit entirely. When federal contractors’ government business is on the line, they cannot afford to take chances. They need to rely on experienced counsel, and they need to know without question that their cybersecurity protocols are FISMA-compliant.
Some of the key steps in our process for conducting FISMA audits include:
Reviewing the Contractor’s FISMA Compliance Program
The first step in conducting a FISMA audit involves reviewing the contractor’s FISMA compliance program. In many cases, we will identify deficiencies with the program itself that require remediation at this stage. FISMA and its enabling regulations are extremely complex, and federal contractors must comply with comprehensive National Institute for Standards and Technology (NIST) guidelines. If a contractor’s compliance program fails to address any pertinent requirements, this alone can put the contractor at risk for losing its government business.
Evaluating the Contractor’s System Inventory and Categorization
Under FISMA, federal contractors must inventory their IT systems and data, and they must appropriately categorize all IT systems and data as low-risk, moderate-risk, or high-risk. This categorization has significant implications for what contractors need to do to establish and maintain FISMA compliance. During FISMA audits, we assess whether our clients’ inventories are comprehensive, and we determine whether our clients’ categorizations are correct.
Evaluating the Contractor’s System Security Plan and Cybersecurity Controls
A custom-tailored System Security Plan (SSP) and effective cybersecurity controls are key to FISMA compliance. When conducting FISMA audits, we devote a significant portion of our time to evaluating our clients’ SSPs and cybersecurity controls in light of the applicable statutory and regulatory requirements. Our cybersecurity consultants are heavily involved at this stage of the process.
Reviewing the Contractor’s Certifications and Accreditations
Federal contractors may need to hold various certifications and accreditations to maintain FISMA compliance. During FISMA audits, we review our clients’ certification and accreditation files to determine if they have all necessary certificates and whether their certificates are up-to-date.
Reviewing the Contractor’s Documentation of FISMA Compliance
Federal contractors that are subject to FISMA should be generating and storing documentation of compliance on an ongoing basis. We audit our clients’ compliance documentation to ensure that no compliance failures have gone overlooked, and we assess whether our clients’ documentation efforts are sufficient to comprehensively demonstrate compliance if necessary.
Providing a Summary Report and Corrective Action Plan (CAP)
Once we have comprehensively assessed our client’s FISMA compliance efforts, we prepare a summary report and corrective action plan (CAP). These provide our clients with a detailed look at the health of their FISMA compliance programs and actionable recommendations for addressing any compliance deficiencies.
Assisting with FISMA Compliance Program Updates and Modifications
If desired, we can assist with implementing the recommendations in our corrective action plan. This includes updating compliance program documents, establishing new compliance policies and protocols, and implementing new cybersecurity controls as necessary. Our lawyers and consultants are highly experienced in assisting clients with all aspects of cybersecurity protection and FISMA compliance.
Stress-Testing New Compliance Program Components and Cybersecurity Controls
Finally, once our clients have updated their FISMA compliance programs, we conduct stress testing to assess the efficacy of their new compliance program components and cybersecurity controls. If necessary, we assist our clients with repeating the remediation and testing processes until their FISMA compliance programs are adequate.
Best Practices for FISMA Audits
When conducting FISMA audits with the guidance and oversight of outside counsel, federal contractors need to follow several best practices. This will help ensure that the audit process is as efficient as possible, and it will also help ensure that no issues go overlooked during the audit process. Some examples of best practices for FISMA audits include:
- Assembling an Effective Audit Team – Assembling a highly effective team is paramount. Working with their outside counsel, federal government contractors should select appropriate internal personnel to assist with executing their FISMA audits. These individuals may include compliance and information security officers, IT specialists, records custodians, and other subject matter experts.
- Assigning an Internal FISMA Audit Team Leader – Federal contractors should assign an internal FISMA audit team leader who will serve as the primary point of contact between the company’s personnel and its outside counsel. Typically, this team leader will be an executive-level employee, such as a Chief Compliance Officer or Chief Technology Officer.
- Comprehensively Identifying All IT Systems and Data Storage Facilities – When conducting FISMA audits, outside counsel must necessarily rely on a contractor’s personnel to assist with identifying all IT systems and data storage facilities. Once the contractor’s personnel have compiled comprehensive lists, counsel can then examine each system and facility to determine what compliance measures are needed.
- Focusing On Accuracy, Not “Confirming” Compliance – Too often, federal contractors approach the FISMA audit process from the perspective of trying to confirm their compliance. A FISMA audit should be a neutral process focused on accurately assessing the realities of the circumstances at hand, and not focused on achieving any particular outcome.
- Documenting the FISMA Audit Process – Documenting the FISMA audit process is critical as well, as this documentation can be invaluable when asked to demonstrate compliance to a contracting agency or other federal authority. At Oberheiden, P.C., we thoroughly document our clients’ FISMA audits, keeping the possibility that our documentation will be reviewed by federal agents top of mind.
Again, these are just examples. There are several complex and nuanced steps involved in conducting an effective FISMA audit. When we work with federal contractors, we provide the advice and insights our clients need to make informed and strategic decisions, and we help them derive maximum value from their audits.
FAQs: What Federal Government Contractors Need to Know About FISMA Audits
Why Should Federal Government Contractors Conduct FISMA Audits?
For federal government contractors, conducting FISMA audits is critical for ensuring ongoing compliance with their statutory and regulatory cybersecurity obligations. Federal contractors that fail to maintain FISMA compliance can face significant penalties, including (but not limited to) loss of their government business. As a result, conducting FISMA audits is a key element of effective risk management for federal contractors.
When Should Federal Government Contractors Conduct FISMA Audits?
Federal government contractors should conduct FISMA audits at least annually. In addition to conducting regularly scheduled audits, contractors should also conduct ad hoc audits in various circumstances. These include (but are not limited to) experiencing a cybersecurity incident, making changes to their IT systems or data storage facilities (which may also trigger a mandatory cybersecurity risk assessment under FISMA), and learning of updates to the FISMA cybersecurity regulations or NIST guidance.
Can Federal Contractors Conduct FISMA Audits In-House?
We generally advise against conducting FISMA audits in-house for various reasons. Most simply, most federal contractors do not have personnel with the knowledge and experience required to conduct a FISMA audit effectively. At Oberheiden P.C., we have a team of former federal prosecutors and investigative agents who are highly experienced, and they rely heavily on this experience to conduct comprehensive and effective audits that adequately protect our clients’ interests.
What Happens If a Federal Contractor Fails a FISMA Audit?
If a FISMA audit uncovers deficiencies in a federal contractor’s policies and procedures, System Security Plan, or cybersecurity controls, the contractor must address these deficiencies promptly. Depending on the nature of the issue (or issues) involved, voluntary disclosure and/or breach notification may be prudent (or necessary) as well. When we uncover deficiencies during our clients’ FISMA audits, we provide them with actionable guidance for coming into compliance, and we advise them regarding any attendant risks they may need to address proactively.
Speak with a Lawyer or Consultant at Oberheiden P.C. about Conducting a FISMA Audit
If you would like to know about our FISMA audit services for federal contractors, we invite you to get in touch. One of our senior lawyers or consultants will be happy to discuss your company’s needs in confidence. To arrange a complimentary initial consultation at your convenience, please call 888-680-1745 or tell us how we can contact you online today.