4 Things to Know About FISMA

Brian Thomas | January 11, 2021 | tag: Third Party Risk Management

Recently we wrote about the top cybersecurity frameworks to reduce cybersecurity risk, and the Federal Information Security Management Act (FISMA) certainly belongs in that list. But what is FISMA? Who does it apply to? Why is it so important?

Let’s take a look at four things to know about FISMA, from what it is to how to monitor FISMA compliance.

What Is FISMA?

Put simply, FISMA provides federal agencies with guidance to create effective cybersecurity programs that protect government information. FISMA sets standards for both first- and third-party compliance, ensuring that agencies are not only secure themselves, but also that any vendors they work with continue to maintain high security standards. The framework includes nine steps to better cybersecurity, ranging from identifying and implementing security controls to continuous monitoring and evaluation.

FISMA calls for a holistic and measurable approach to cybersecurity. Agencies and their vendors must create cyber security KPIs and metrics to show they’re successfully protecting their information and performing annual security reviews and continual risk assessments. This information is necessary to demonstrate FISMA compliance.

What Does FISMA Mean For You?

If you’re a federal security manager, FISMA requires you to gain complete and near real-time visibility into your own networks and those of your vendors. That means any third parties you use must also be in compliance. 

But the threat doesn’t stop with third parties; it’s critical to ensure their partners -- fourth and nth parties -- are also secure. This can pose a significant challenge, for a couple of reasons. First, smaller vendors may not have the capacity or expertise to continuously monitor their own systems. And the deeper the supply chain goes, the tougher it can be to ensure that every link in the chain is maintaining proper security measures.

How Can You Monitor FISMA Compliance?

Traditional third-party cyber risk assessment practices, while helpful, are often time consuming and inadequate because they only provide a brief snapshot of a vendor’s security posture. And yet, as recent third-party cyberattacks like SolarWinds ORION prove, periodic assessments are not enough. Only continuous and automated monitoring -- which FISMA calls for -- is sufficient to ensure that third-party vendors are always in compliance with FISMA standards.

Monitoring fourth parties is even more challenging, as it requires a deep dive into subcontractors and other providers you may not even know are part of your supply chain. Many of these organizations may be smaller companies -- some consisting of only a few employees -- that may not have the means to create strong security programs of their own. This makes them particularly vulnerable, and understanding the connections between them and your third-party vendors even more important.  

How Can Security Ratings Support Compliance?

Security ratings provide a measurable metric to determine third- and fourth-party risk. A security rating gives clear insight into your vendors’ cybersecurity postures, and offers CISOs and other members of the executive team an easily interpretable gauge of risk levels. The higher the rating, the lower the risk. A low vendor score may indicate heightened risk while presenting an opportunity to have an honest conversation with the vendor about the need to enhance their security measures.

Security ratings are derived from continuous monitoring of agencies and their vendor partners, thus satisfying one of the core FISMA requirements. Through continuous monitoring, you can proactively maintain FISMA compliance by addressing issues as they arise.

Want to learn more about third party risk management?

Download our ebook, which addresses ways to make your vendor lifecycle management more efficient without sacrificing security. It’s a valuable resource that can help you mitigate third-party risk and help strengthen your FISMA framework.

5 tips to manage third-party risk

Suggested Posts

Third Party Services: The Cyber Risk They Pose and How to Protect Your Organization

To serve your customers and realize efficiencies, your organization may work with dozens if not hundreds of third parties including partners, vendors, cloud service providers, and subcontractors. 

But digital ties with these providers...


Facebook Outage Highlights Urgency For Third-Party Risk Management

Facebook and the apps under its umbrella, including Instagram and WhatsApp, were inaccessible for hours on Monday. The outage hamstrung the communications of billions of people, businesses, and other organizations.

Though Facebook is...


5 Steps to Creating a Cyber Security Roadmap

The recent rise in ransomware attacks and business-halting data breaches has made it clear that your organization must prioritize cyber security performance. But ad hoc security controls and defensive measures are not the answer....


Get the Weekly Cybersecurity Newsletter.