FISMA vs. FedRAMP and NIST: Making Sense of Government Compliance Standards

FISMA, FedRAMP, NIST, DFARS, CJIS, HIPAA … Government compliance standards can seem like a veritable alphabet soup. Making matters even worse, a lot of them overlap, and many organizations aren’t certain which standards they need to comply with.

Even if your organization does not currently operate in the public sector, it is important to understand the fundamentals of FISMA, FedRAMP, and NIST. First, the U.S. government is the single largest buyer of goods and services in the world, and your company may ultimately want to tap this lucrative market. Second, any information security standards that the federal government implements will ultimately trickle down into state and local laws, as well as industry frameworks.

What is NIST?

The National Institute of Standards and Technology (NIST) is a non-regulatory agency that is part of the United States Department of Commerce. Its mission is “To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.”

Among many other responsibilities, NIST creates and promotes information security standards for the federal government. These standards are outlined in NIST’s SP-800 series of publications, including NIST SP 800-53 (also known as NIST 800-53), which outlines security controls for federal information systems and organizations and documents security controls for all federal information systems, except those designed for national security. Federal agencies must comply with NIST guidelines and standards within one year of their publication.

The controls outlined in NIST 800-53 are the basis for FISMA as well as FedRAMP, DFARS, CJIS, HIPAA, FedRAMP +, FedRAMP DoD IL 2, 4, 5, 6 and others.

What is FISMA?

FISMA was first enacted in 2002 as the Federal Information Security Management Act, then updated in 2014 to the Federal Information Security Modernization Act. FISMA applies to:

• All federal government agencies
• State agencies that administer federal programs, such as Medicare/Medicaid and student loans
• All private-sector firms that support federal programs, sell services to the federal government, or receive federal grant money

In a nutshell, FISMA requires the implementation of information security controls that utilize a risk-based approach. The primary framework for FISMA compliance is NIST 800-53. Organizations that demonstrate FISMA compliance are awarded an Authority to Operate (ATO) from the federal agency they are doing business with. This ATO applies only to that particular agency; if an organization has contracts with multiple federal agencies, they must obtain an ATO from each one. The logic behind this is that because every federal agency has different data security needs and vulnerabilities, different controls may apply. A FISMA assessment may be performed directly by the agency granting the ATO or a third-party security assessor.

What is FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP) was designed to support the federal government’s “cloud-first” initiative by making it easier for federal agencies to contract with cloud providers. Like FISMA, the controls outlined in FedRAMP are based on NIST 800-53.

Unlike FISMA, which requires organizations to seek an ATO from each individual federal agency, a FedRAMP ATO qualifies a cloud service provider to do business with any federal agency. Because FedRAMP ATO’s are more far-reaching, the certification process is far more rigorous. It must also be performed by a certified third-party assessment organization (3PAO) such as Lazarus Alliance. Finally, FedRAMP is more specific than FISMA. FISMA applies to information systems security in general, while FedRAMP applies only to cloud service providers and federal agencies that plan to use cloud service providers.

Since the FedRAMP certification process is so demanding, a FedRAMP ATO is beneficial even for cloud service providers that do not currently work with the federal government. Private-sector companies are aware of how difficult it is to comply with FedRAMP and recognize it as a gold standard of cloud security.

However, this is not to say the FISMA compliance process is “easy.” Organizations need to map the specific NIST 800-53 controls to the FISMA requirements of each agency they wish to do business with. There are hundreds of different controls, and figuring out which ones apply in each situation can be quite complex.

Complying with FedRAMP, FISMA, and NIST 800-53

Regardless of which compliance framework is right for your organization, it’s best to partner with a certified 3PAO such as Lazarus Alliance. Our FISMA and FedRAMP Cybervisors™ will provide your decision-makers with a clear picture of certification costs, timelines, and internal resource demands to facilitate an informed decision about pursuing FedRAMP or FISMA certification based on NIST 800-53.

Further, by leveraging Continuum GRC’s proprietary IT Audit Machine, a revolutionary GRC software package that utilizes pre-loaded, drag-and-drop modules, Lazarus Alliance takes the pain and high costs out of the FedRAMP and FISMA compliance process. Some of our clients have saved up to 1,000% over traditional FedRAMP assessment methods.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call +1 (888) 896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.

By following these best practices, organizations can enjoy the benefits of cyber security outsourcing, minimize the risks, and build fruitful, long-term relationships with trusted providers.

With the cyber security skills gap making it extremely difficult or even impossible for companies to find the security talent they need – and they need it yesterday – more and more firms are turning to cyber security outsourcing. Outsourcing is a great way to save money and gain immediate access to security expertise that you do not have in-house. However, it’s also a very serious decision. Your cyber security outsourcing provider will have access to your entire network and all of your sensitive data. How can you ensure that you are partnering with a provider who is not only legitimate but is also the right fit for your particular organization and data environment? Following are five best practices to follow when choosing a provider for cyber security outsourcing.

If Something Seems “Off” About a Company, It Probably Is …

At a minimum, steer clear of providers who:

• Cannot provide you with a street address and phone number.
• Do not have enterprise email addresses and communicate with you using addresses from Gmail, Yahoo, etc.
• Have websites that appear very “amateurish” in design and/or contain text written in broken English.

These are immediate red flags that indicate you are dealing with an amateur – or possibly a fly-by-night operation.

Get References

Even if a provider seems perfectly legitimate and professional, always ask for references, and make sure to call them. Professional cyber security firms are always happy to provide verifiable references. You should also Google the name of the company and its principal(s) and look for reviews – or complaints.

Make Sure that the Provider Can Handle all of Your Compliance Requirements

Lazarus Alliance’s audit and assessment services include HIPAA and HITECH, PCI DSS QSA, SSAE 18 and AT 101 SOC reports, FedRAMP, FISMA, NIST, CJIS, DFARS, ISO, NERC CIP, SOX, ISO, and EU-US Privacy Shield certification; we are the only Arizona-based company that provides this depth of coverage. For that matter, very few in the world can provide this depth of expertise!

However, many cyber security outsourcing companies – including some that are very large – handle certain IT compliance requirements but not others. Make sure that your provider not only offers all of the compliance services you need but also has experience performing those specific audits; ask about your specific compliance requirements while you are checking the provider’s references.

Ask the Cyber Security Outsourcing Provider About Their Audit & Compliance Processes

Believe it or not, some IT auditors are still using Excel or other spreadsheet programs to perform IT compliance reporting and audits, despite the fact that spreadsheet programs were never meant to be used with the very large data sets produced in today’s complex data environments. An auditor that is still fumbling around with spreadsheets is going to plunge your company into audit anarchy and cost you a lot of time, money, and headaches.

Make sure your provider uses modern RegTech software to perform compliance reporting and audits, such as the Continuum GRC IT Audit Machine (ITAM). ITAM utilizes big data capabilities and rapid report creation to automate data management and reporting. Instead of dozens of different spreadsheets and ledgers, ITAM creates a centralized repository of all IT compliance requirements with associated controls and automated information flows for audits, assessments, and testing. This saves you time, money, and stress and provides you with a big picture of your data environment and its risks and vulnerabilities.

Get Everything in Writing

Finally, make sure that the provider signs a written contract that specifies exactly what is expected of them and ensures that they are willing to guarantee any promises they make.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.