Register   |   Login   |   February 19, 2018    |   Government Sector  >  Blogs
search:     

Facebook LinkedIn Twitter

Phone: (480) 722-1227
Toll Free: (888) 722-1227

FISMA, The RMF and Why They Are Important

Feb 2

Written by:
2/2/2018 12:29 PM  RssIcon

Executive Summary

This blog series covers the Dos and Don'ts of contracting with the government. We'll cover the latest policies, guidelines and frameworks developed by the government that you need to know.

This blog is meant to introduce new contractors in the federal space to the innerworkings of government business elements. As the government publishes new Information Security regulations and guidelines, we’ll keep you updated on what you need to know and why you need to know it.

Key Terms

Compliance

Adhering to a rule or a set of rules

FISMA

The Federal Information Security Modernization Act, designed to provide the guidelines necessary to protect federal data

Information Security

Ensuring the integrity, authenticity, availability, and confidentiality of information

NIST

The National Institute of Standards and Technology is a non-regulatory agency under the Department of Commerce

RMF

NIST’s Risk Management Framework, providing guidelines to becoming FISMA compliant

 

Background

FISMA (Federal Information Security Modernization Act of 2014) is an amendment to FISMA 2002 (Federal Information Security Management Act of 2002). Essentially, the purpose of the amendment is to establish and highlight the importance of information security for federal systems and mandate the development of, and compliance with, a government-grade information security framework. As a contractor, there are two noteworthy benefits that will come of this:

1.       FISMA 2014 mandates a change in federal infrastructure, that requires new hard and services.

2.       The amendment explicitly acknowledges that commercial information security products “offer advanced, dynamic, robust, and effective information security solutions” (U.S. Government Printing Office, 2014).This acknowledgement implies that the government is actively looking to commercial market for solutions to information security needs.

Additionally, NIST’s RMF (Risk Management Framework) complements FISMA by providing guidelines that lead to becoming FISMA compliant. The RMF consists of 6 steps, according to NIST:

  • Step 1:  Categorize
  • Step 2:  Select
  • Step 3: Implement
  • Step 4: Assess
  • Step 5:  Authorize
  • Step 6:  Monitor


Which Parts of FISMA Apply to Contractors

Well, let’s jump right to it: what parts of FISMA and the RMF are most relevant, and what happens when you are not compliant?

FISMA (2014) was intended for the government. The mandates described within do not directly require contractors to do anything. So, what’s the big hoopla over it about? FISMA is important to contractors whom are aiming to reap the benefits of working with the government.

The “IS” in FISMA is “ Information Security,” not “Systems Security.” The major distinction here is that FISMA emphasizes the security of federal information through any medium, not just federal systems. This is where the RMF comes into play. The RMF abstracts information security requirements from federal law into a modular, scalable system development lifecycle, and it encapsulates everything you’ll need to know about FISMA to be compliant.

The RMF relies heavily on  Security Controls which are its foundation, these controls are outlined in NIST SP 800-53 and will be covered in a later blog post. Their purpose is to provide safeguards/countermeasures that protect the security, integrity and availability of information (Joint Task Force Transformation Initiative, 2013), they are the foundation of the RMF.

The consequences of Not Being Compliant

There are significant drawbacks to hosting infrastructures that are not FISMA compliant, including exclusion from competition for federal contracts. In light of the fact that warfare is shifting to the cyber arena, the Federal Government   is pushing more and more to secure its data systems. These policies, in turn, affect the funding that available to us contractors.

Non-compliant federal contractors with current contracts are also at risk of losing their contracts, or even federal charges. Furthermore, most federal grants now require FISMA compliance. The government simply will not fund organizations or projects that open security holes by not being FISMA compliant.


References

Joint Task Force Transformation Initiative. (2013, April).  Security and Privacy Controls for Federal Information Systems and Organizations.Retrieved from National Institute of Standards and Technology: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

U.S. Government Printing Office. (2014, December 18).  S.2521 - Federal Information Security Modernization Act of 2014. Retrieved from congress.gov: https://www.congress.gov/bill/113th-congress/senate-bill/2521/text


Your name:
Gravatar Preview
Your email:
(Optional) Email used only to show Gravatar.
Your website:
Title:
Comment:
Add Comment   Cancel 
There are no categories in this blog.
FISMA, The RMF and Why They Are Important
Virtualization
There are no recent comments on this blog.
Skip Navigation Links.
Vigilant Technologies

Vigilant Technologies is a certified 8(a), Veteran Owned company headquartered in Chandler, Arizona. We provide products, services and enterprise-wide integration of innovative IT solutions to commercial, Federal, State and Local government clients. Our Leading edge services include Private/Hybrid Cloud, Server Consolidation, Virtualization implementation, and Infrastructure Management.

Resources & Support
     Documentation
     FAQs
     Case Studies
     Services
     Testimonials
     Account Access
Help Center
Help Center
     Add a Help Ticket
 News Room
     News/Events
     Newsletters
Engage with us
Contact us
Forum
Blog
helpdesk@vigilant1.com
(480) 722 - 1227
(888) 722 - 1227
Copyright 2004 - 2018 by Vigilant Technologies / Chandler Automated Systems / CASIT   |  Privacy Statement  |  Terms Of Use