Achieving FISMA and NIST Compliance
Security Assessment and Authorization & Continuous Monitoring
Understanding FISMA Compliance Requirements
The Federal Information Security Modernization Act (FISMA), originally drafted in 2002 and updated in 2014, is a United States legislation that provides guidelines and security standards that federal agencies, and in some cases state agencies, are required to meet. The act calls on agencies to develop, document, and implement a risk-based information security program to ensure continuity of operations for information systems, while balancing the need for security with the cost/benefit analysis of implementing controls.
Understanding that not all risks, missions and agencies require the same level of protection, FISMA requirements provide room for customization, enabling agencies to select the controls most appropriate for their mission. Implementation of FISMA compliance relies on standards and guidelines published by The National Institute of Standards and Technology (NIST) as a part of their FISMA Implementation project. These include FIPS 199 & 200 as well as several NIST Special Publications including NIST SP 800-37, NIST SP 800-53, NIST SP 800-53A, NIST SP 800-59 & NIST SP 800-60.
Getting to FISMA Compliance
As your agency continues its journey to achieve FISMA compliance and adherence to NIST standards and guidelines, you need to shed ineffective point-in-time compliance practices in favor of integrated, ongoing risk management programs. This change requires qualified staff with experience in selecting controls that align to your organizational goals and requirements and defining metrics that measure the efficacy of your risk management program.
To ensure you’re implementing the right controls, properly prioritizing risks and investing in the appropriate remediation to achieve improvement over time, you’ll require a combination of integrated processes and systems, experienced staff and innovative technology. Achieving this optimal trifecta can often be challenging with limited resources and staffing, but TalaTek can help.
TalaTek Enterprise Compliance Management Solution (ECMS) is a cloud-managed service that delivers the people, processes and technology needed to ensure your risk management program meets its goals. Our seasoned industry experts know regulations, frameworks and controls thoroughly, including FISMA and NIST. Our proven process framework and assessment methodologies integrate with our innovative technology so you can build a risk management program that measures risk holistically, across the organization’s technical, operational and management controls. With ECMS you create an automated and repeatable process that ensures consistent implementation, measurement and monitoring over time, effectively addressing your unique regulatory and control requirements
Meet your FISMA compliance requirements with ECMS:
Continuous Monitoring – ECMS integrates all risk, compliance and IT security data into a single system of record, providing an enterprise view of your risk status and facilitating ongoing awareness of information security, vulnerabilities, and threats.
Security Authorization & Assessment – As a single system of record, ECMS enables efficient ongoing authorizations for the SA&A process including:
Security Plan – Document risk, security and compliance requirements and the controls implemented to meet them
Security Assessment – Analyze current controls, how they are implemented and if they are meeting current requirements. Document weaknesses and recommended corrective actions.
Plan of Action and Milestones – Define remediation plans, identify owners and build workflows to drive efficient and timely completion of tasks.
“The Human Genome Sequencing Center (HGSC) has worked with TalaTek since March of 2012, when they helped us successfully achieve a critical compliance milestone on a very tight timetable.
“Since then, TalaTek has helped us navigate the challenges of FISMA compliance while always keeping our security status in mind and costs down. TalaTek’s subject matter experts helped our team effectively prioritize efforts to meet our security and compliance needs. They have been flexible and responsive, tailoring solutions to our unique concerns.
Information System Owner (ISO), Human Genome Sequencing Center