FISMA vs. FedRAMP and NIST: Making Sense of Government Compliance Standards

FISMA, FedRAMP, NIST, DFARS, CJIS, HIPAA … Government compliance standards can seem like a veritable alphabet soup. Making matters even worse, a lot of them overlap, and many organizations aren’t certain which standards they need to comply with.

Even if your organization does not currently operate in the public sector, it is important to understand the fundamentals of FISMA, FedRAMP, and NIST. First, the U.S. government is the single largest buyer of goods and services in the world, and your company may ultimately want to tap this lucrative market. Second, any information security standards that the federal government implements will ultimately trickle down into state and local laws, as well as industry frameworks.

What is NIST?

The National Institute of Standards and Technology (NIST) is a non-regulatory agency that is part of the United States Department of Commerce. Its mission is “To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.”

Among many other responsibilities, NIST creates and promotes information security standards for the federal government. These standards are outlined in NIST’s SP-800 series of publications, including NIST SP 800-53 (also known as NIST 800-53), which outlines security controls for federal information systems and organizations and documents security controls for all federal information systems, except those designed for national security. Federal agencies must comply with NIST guidelines and standards within one year of their publication.

The controls outlined in NIST 800-53 are the basis for FISMA as well as FedRAMP, DFARS, CJIS, HIPAA, FedRAMP +, FedRAMP DoD IL 2, 4, 5, 6 and others.

What is FISMA?

FISMA was first enacted in 2002 as the Federal Information Security Management Act, then updated in 2014 to the Federal Information Security Modernization Act. FISMA applies to:

• All federal government agencies
• State agencies that administer federal programs, such as Medicare/Medicaid and student loans
• All private-sector firms that support federal programs, sell services to the federal government, or receive federal grant money

In a nutshell, FISMA requires the implementation of information security controls that utilize a risk-based approach. The primary framework for FISMA compliance is NIST 800-53. Organizations that demonstrate FISMA compliance are awarded an Authority to Operate (ATO) from the federal agency they are doing business with. This ATO applies only to that particular agency; if an organization has contracts with multiple federal agencies, they must obtain an ATO from each one. The logic behind this is that because every federal agency has different data security needs and vulnerabilities, different controls may apply. A FISMA assessment may be performed directly by the agency granting the ATO or a third-party security assessor.

What is FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP) was designed to support the federal government’s “cloud-first” initiative by making it easier for federal agencies to contract with cloud providers. Like FISMA, the controls outlined in FedRAMP are based on NIST 800-53.

Unlike FISMA, which requires organizations to seek an ATO from each individual federal agency, a FedRAMP ATO qualifies a cloud service provider to do business with any federal agency. Because FedRAMP ATO’s are more far-reaching, the certification process is far more rigorous. It must also be performed by a certified third-party assessment organization (3PAO) such as Lazarus Alliance. Finally, FedRAMP is more specific than FISMA. FISMA applies to information systems security in general, while FedRAMP applies only to cloud service providers and federal agencies that plan to use cloud service providers.

Since the FedRAMP certification process is so demanding, a FedRAMP ATO is beneficial even for cloud service providers that do not currently work with the federal government. Private-sector companies are aware of how difficult it is to comply with FedRAMP and recognize it as a gold standard of cloud security.

However, this is not to say the FISMA compliance process is “easy.” Organizations need to map the specific NIST 800-53 controls to the FISMA requirements of each agency they wish to do business with. There are hundreds of different controls, and figuring out which ones apply in each situation can be quite complex.

Complying with FedRAMP, FISMA, and NIST 800-53

Regardless of which compliance framework is right for your organization, it’s best to partner with a certified 3PAO such as Lazarus Alliance. Our FISMA and FedRAMP Cybervisors™ will provide your decision-makers with a clear picture of certification costs, timelines, and internal resource demands to facilitate an informed decision about pursuing FedRAMP or FISMA certification based on NIST 800-53.

Further, by leveraging Continuum GRC’s proprietary IT Audit Machine, a revolutionary GRC software package that utilizes pre-loaded, drag-and-drop modules, Lazarus Alliance takes the pain and high costs out of the FedRAMP and FISMA compliance process. Some of our clients have saved up to 1,000% over traditional FedRAMP assessment methods.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call +1 (888) 896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.

Governance, risk, and compliance should be at the heart of AWS security procedures

Another day, another AWS security breach, and this one is particularly bad because of the extraordinarily sensitive nature of the data that was compromised: Over 9,000 documents containing personal data on job applicants holding U.S. security clearances, some of them Top Secret, were discovered sitting on an insecure AWS S3 bucket, where they may have been for as long as a year. Gizmodo reports:

[T]he cache of roughly 9,400 documents reveal extraordinary details about thousands of individuals who were formerly and may be currently employed by the US Department of Defense and within the US intelligence community.

Other documents reveal sensitive and personal details about Iraqi and Afghan nationals who have cooperated and worked alongside US military forces in their home countries, according to the security firm who discovered and reviewed the documents. Between 15 and 20 applicants reportedly meet this criteria.

The AWS bucket belonged to a company called TalentPen, a third-party vendor hired by private security firm Tiger Swan to process job applications.

Sound GRC Can Prevent AWS Security Breaches

The TalentPen breach is only the latest in a long line of AWS security incidents, most of them involving third-party business associates of larger firms, such as Verizon and the Republican National Committee. The problem is so pervasive that Amazon itself recently sent out a mass email to customers with unprotected AWS S3 buckets, imploring them to review their security settings, and many companies are now questioning how secure the AWS service really is.

However, the problem isn’t with Amazon Web Services. AWS security is quite sound – if it is configured correctly, and if the enterprise using it follows sound GRC practices and applies them to on-premises data, data residing in the cloud, and, in the case of the companies hiring IT service providers, data being handled by those service providers.

It’s Your Data, and You’re the One Who Has to Secure It and Maintain Compliance

While AWS offers security protections such as encryption of PII both at rest and in transit, and AWS S3 buckets are set to private by default, these protections are only as good as the company that’s utilizing AWS. In the Verizon, RNC, TalentPen, and other recent breaches, someone went into the system and took specific steps to override the default AWS settings and open the buckets up for public viewing.

This raises very serious questions regarding data security and governance within these organizations. Who went into the AWS accounts and made these buckets public? Why did they do this? Why did they have the system privileges to access this data and make this change, and why did the change go unnoticed (in the case of TalentPen, perhaps for as long as a year)? Why was data this sensitive uploaded to the cloud in the first place? Comprehensive, consistent cloud security and AWS security protocols, combined with appropriate user access credentials and continuous system monitoring, would have prevented all of these breaches.

Compliance is another issue when using AWS or other cloud services. While AWS contains tools that customers can use to ensure they comply with major IT audit frameworks, such as HIPPA, PCI DSS, NIST, and FISMA, it would be impossible for AWS, or any other provider, to ensure that all of their customers are covering every aspect of the specific compliance requirements that apply to them. Thus, AWS operates on a “shared responsibility” model, where AWS itself is responsible for the security and compliance of their cloud, while their customers are responsible for the security of the data they store within it.

In the end, it is your data, and you are the one who is ultimately responsible for it – even if a third-party vendor is the one who mishandles it.

Addressing governance, risk, and compliance in the cloud and throughout your cyber ecosystem can be a challenge, but in the end, proactive GRC is much less expensive than cleaning up after a data breach.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.

Hacks in the City: Latest in String of HBO Hacks Targets Company’s Social Media Accounts

HBO has had a rough summer, and things are getting progressively worse for the cable titan. The HBO hacks began in late June, when an individual hacker or group calling themselves “Mr. Smith” dumped several episodes of upcoming HBO series and the script to an upcoming Game of Thrones episode online. Mr. Smith claimed to have stolen approximately 1.5TB of data and threatened to release all of it unless HBO paid them $6 to $7 million. HBO countered with an offer of $250,000. Mr. Smith apparently found this laughable and continued to leak not only content and scripts but confidential emails and the personal data of the GoT cast.

While the attention of the media (and HBO) was focused on Mr. Smith, a full upcoming episode of GoT was released online. This wasn’t the work of Mr. Smith but that of malicious insiders at a company called Prime Focus Technologies, a third-party vendor of Star India, HBO’s business associate that airs GoT in India. In other words, HBO was victimized by a hack at a third-party vendor of a third-party vendor.

In Incident #3 in the string of HBO hacks, the company “hacked” itself. This time, an apparent employee mistake at HBO Nordic and HBO España, two European affiliates of HBO, resulted in the first hour of an episode of GoT being aired four days early. It didn’t take long for the content to appear online.

The network’s latest Excederin headache came on last week, when a separate hacker or group calling itself OurMine, which was behind several high-profile social media takeovers at other companies, took control of HBO’s Twitter and Facebook accounts.

It is highly unlikely the HBO hacks will stop anytime soon. Around the same time as the OurMine social media debacle, Mr. Smith contacted Mashable and sent them “what appears to be the login credentials for almost every single HBO social media account. Passwords for everything from @HBO, @GameOfThrones, and @WestworldHBO to various Instagram and Giphy accounts.” Mr. Smith also claimed to be in possession of the season finale of GoT and solemnly vowed to release it if HBO didn’t pay up soon.

Hey HBO, how’s that reactive cyber security working out for you?

The HBO hacks involve multiple cyber security issues, including malicious insiders, innocent but damaging employee errors, third-party vendor hacks, email hacks, corporate espionage, theft of digital IP and company secrets, and login credentials theft – and that’s just what’s happened and what we know about so far. It hasn’t yet been determined exactly how Mr. Smith and OurMine got hold of the credentials they needed to breach HBO’s internal network and social media accounts, but usually, login credential theft occurs through email phishing scams, so we’re probably looking at more employee error.

Two things are clear: HBO is a company in cyber security crisis, and it has inadvertently become a case study of why reactive cyber security doesn’t work. The fact that is being attacked on multiple fronts, by multiple parties, is indicative of a longstanding reactive stance to cyber attacks and deep-rooted security vulnerabilities at all levels of the organization. It desperately needs to implement sound GRC and proactive cyber security practices and wrest back control over its entire enterprise cyber ecosystem.

How much will all of this end up costing HBO in the end? Whatever the final number is, it’s safe to bet that it would have been a lot cheaper and far less damaging if HBO had never lost control over its cyber security in the first place.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.