Achieving FISMA and NIST Compliance
Achieving FISMA and NIST Compliance
Security Assessment and Authorization & Continuous Monitoring
The Federal Information Security Modernization Act (FISMA), originally drafted in 2002 and updated in 2014, is a United States legislation that provides guidelines and security standards that federal agencies, and in some cases state agencies, are required to meet. The act calls on agencies to develop, document, and implement a risk-based information security program to ensure continuity of operations for information systems, while balancing the need for security with the cost/benefit analysis of implementing controls.
Understanding that not all risks, missions and agencies require the same level of protection, FISMA requirements provide room for customization, enabling agencies to select the controls most appropriate for their mission. Implementation of FISMA compliance relies on standards and guidelines published by The National Institute of Standards and Technology (NIST) as a part of their FISMA Implementation project. These include FIPS 199 & 200 as well as several NIST Special Publications including NIST SP 800-37, NIST SP 800-53, NIST SP 800-53A, NIST SP 800-59 & NIST SP 800-60.
Getting to FISMA Compliance
As your agency continues its journey to achieve FISMA compliance and adherence to NIST standards and guidelines, you need to shed ineffective point-in-time risk and compliance practices in favor of an integrated, governance, risk and compliance program. This change requires qualified staff with experience in selecting controls that align to your organizational goals and requirements and defining metrics that measure the efficacy of your risk and compliance management efforts.
To ensure you’re implementing the right controls, properly prioritizing risks and investing in the appropriate remediation to achieve improvement over time, you’ll require a combination of integrated processes and systems, experienced staff and innovative technology. Achieving this optimal trifecta can often be challenging with limited resources and staffing, but TalaTek can help.
TalaTek intelligent Governance and Risk Integrated Solution (TiGRIS) is a cloud-managed service that delivers the people, processes and technology needed to ensure your governance, risk and compliance program meets its goals. Our seasoned GRC experts know regulations, frameworks and controls thoroughly, including FISMA and NIST. Our proven methodologies integrate with our FedRAMP-authorized technology so you can build a GRC program that measures risk holistically, across the organization’s technical, operational and management controls. With TiGRIS you create an automated and repeatable process that ensures consistent implementation, measurement and monitoring over time, effectively addressing your unique regulatory and control requirements without the need for significant investment in personnel and technology resources.
Meet your FISMA compliance requirements with TiGRIS:
Continuous Monitoring – TiGRIS integrates all risk, compliance and IT security data into a single system of record, providing an enterprise view of your risk status and facilitating ongoing awareness of information security, vulnerabilities, and threats.
Security Authorization & Assessment – As a single system of record, TiGRIS enables efficient ongoing authorizations for the SA&A process including:
- Security Plan – Document risk, security and compliance requirements and the controls implemented to meet them
- Security Assessment – Analyze current controls, how they are implemented and if they are meeting current requirements. Document weaknesses and recommended corrective actions.
- Plan of Action and Milestones – Define remediation plans, identify owners and build workflows to drive efficient and timely completion of tasks.
“Since then, TalaTek has helped us navigate the challenges of FISMA compliance while always keeping our security status in mind and costs down. TalaTek’s subject matter experts helped our team effectively prioritize efforts to meet our security and compliance needs. They have been flexible and responsive, tailoring solutions to our unique concerns.
Information System Owner (ISO), Human Genome Sequencing Center