Third Party Risk Management

4 Things to Know About FISMA

Brian Thomas | January 11, 2021

Recently we wrote about the top cybersecurity frameworks to reduce cybersecurity risk, and the Federal Information Security Management Act (FISMA) certainly belongs in that list. But what is FISMA? Who does it apply to? Why is it so important?

Let’s take a look at four things to know about FISMA, from what it is to how to monitor FISMA compliance.

What Is FISMA?

Put simply, FISMA provides federal agencies with guidance to create effective cybersecurity programs that protect government information. FISMA sets standards for both first- and third-party compliance, ensuring that agencies are not only secure themselves, but also that any vendors they work with continue to maintain high security standards. The framework includes nine steps to better cybersecurity, ranging from identifying and implementing security controls to continuous monitoring and evaluation.

FISMA calls for a holistic and measurable approach to cybersecurity. Agencies and their vendors must create KPIs and metrics to show they’re successfully protecting their information and performing annual security reviews and continual risk assessments. This information is necessary to demonstrate FISMA compliance.

What Does FISMA Mean For You?

If you’re a federal security manager, FISMA requires you to gain complete and near real-time visibility into your own networks and those of your vendors. That means any third parties you use must also be in compliance. 

But the threat doesn’t stop with third parties; it’s critical to ensure their partners -- fourth and nth parties -- are also secure. This can pose a significant challenge, for a couple of reasons. First, smaller vendors may not have the capacity or expertise to continuously monitor their own systems. And the deeper the supply chain goes, the tougher it can be to ensure that every link in the chain is maintaining proper security measures.

How Can You Monitor FISMA Compliance?

Traditional third-party assessment practices, while helpful, are often time consuming and inadequate because they only provide a brief snapshot of a vendor’s security posture. And yet, as recent third-party cyberattacks like SolarWinds ORION prove, periodic assessments are not enough. Only continuous and automated monitoring -- which FISMA calls for -- is sufficient to ensure that third-party vendors are always in compliance with FISMA standards.

Monitoring fourth parties is even more challenging, as it requires a deep dive into subcontractors and other providers you may not even know are part of your supply chain. Many of these organizations may be smaller companies -- some consisting of only a few employees -- that may not have the means to create strong security programs of their own. This makes them particularly vulnerable, and understanding the connections between them and your third-party vendors even more important.  

How Can Security Ratings Support Compliance?

Security ratings provide a measurable metric to determine third- and fourth-party risk. A security rating gives clear insight into your vendors’ security postures, and offers CISOs and other members of the executive team an easily interpretable gauge of risk levels. The higher the rating, the lower the risk. A low vendor score may indicate heightened risk while presenting an opportunity to have an honest conversation with the vendor about the need to enhance their security measures.

Security ratings are derived from continuous monitoring of agencies and their vendor partners, thus satisfying one of the core FISMA requirements. Through continuous monitoring, you can proactively maintain FISMA compliance by addressing issues as they arise.

Want to learn more about third party risk management?

Download our ebook, which addresses ways to make your vendor lifecycle management more efficient without sacrificing security. It’s a valuable resource that can help you mitigate third-party risk and help strengthen your FISMA framework.

5 tips to manage third-party risk

Suggested Posts

4 Things to Know About FISMA

Recently we wrote about the top cybersecurity frameworks to reduce cybersecurity risk, and the Federal Information Security Management Act (FISMA) certainly belongs in that list. But what is FISMA? Who does it apply to? Why is it so...

READ MORE »

Best Practices For Managing Third Party Risk

Properly managing third party risk and preventing damaging outcomes that result from gaps in your vendor ecosystem can be difficult and costly. With the recent SolarWinds data breach wreaking havoc on thousands of organizations globally,...

READ MORE »

Do You Have The Right Vendor Management Policies?

If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and ...

READ MORE »

Subscribe to get security news and updates in your inbox.