The National Institute of Standards and Technology has developed a risk management framework for achieving FISMA compliance. The FISMA guidelines for compliance are outlined in NIST 800-53, NIST 800-171, FIPS 199, and FIPS 200. For the sake of simplicity, we’ll summarize the steps organizations must take to achieve FISMA compliance.
1. Create and maintain an information security inventory
Agencies must maintain documentation that outlines all networks, their connections, security perimeters, and integrations. The documentation should provide an at-a-glance view of the current network infrastructure. This documentation is used when performing risk assessments.
2. Categorize risks based on agency-specific NIST standards
Once you have detailed documentation of your information systems, these systems need to be categorized per the standards set out in FIPS 199. The goal is to achieve the highest level of security for the overall system. The categorizations serve to highlight the level of risk present in each system element.
3. Maintain and regularly update a security plan
The system security plan outlines all security processes, procedures, controls, and policies, providing a guide for different security actions that may take place. This document should be updated regularly in response to changes in the systems and security landscape.
4. Implement security controls
There are 20 security areas with numerous controls relevant organizations must implement per NIST 800-53. These controls aim to provide a consistent level of security across all federal agencies and systems.
5. Conduct risk assessments
Any time there’s a change in systems, a risk assessment plan needs to be used to analyze and identify any change in potential vulnerabilities and risks.
6. Conduct yearly security reviews
Relevant organizations need to conduct yearly security reviews to prove their FISMA compliance, upon which they’ll receive certification and accreditation.