4 Things to Know About FISMA

Brian Thomas | January 11, 2021 | tag: Third Party Risk Management

Recently we wrote about the top cybersecurity frameworks to reduce cybersecurity risk, and the Federal Information Security Management Act (FISMA) certainly belongs in that list. But what is FISMA? Who does it apply to? Why is it so important?

Let’s take a look at four things to know about FISMA, from what it is to how to monitor FISMA compliance.

What Is FISMA?

Put simply, FISMA provides federal agencies with guidance to create effective cybersecurity programs that protect government information. FISMA sets standards for both first- and third-party compliance, ensuring that agencies are not only secure themselves, but also that any vendors they work with continue to maintain high security standards. The framework includes nine steps to better cybersecurity, ranging from identifying and implementing security controls to continuous monitoring and evaluation.

FISMA calls for a holistic and measurable approach to cybersecurity. Agencies and their vendors must create cyber security KPIs and metrics to show they’re successfully protecting their information and performing annual security reviews and continual risk assessments. This information is necessary to demonstrate FISMA compliance.

What Does FISMA Mean For You?

If you’re a federal security manager, FISMA requires you to gain complete and near real-time visibility into your own networks and those of your vendors. That means any third parties you use must also be in compliance. 

But the threat doesn’t stop with third parties; it’s critical to ensure their partners -- fourth and nth parties -- are also secure. This can pose a significant challenge, for a couple of reasons. First, smaller vendors may not have the capacity or expertise to continuously monitor their own systems. And the deeper the supply chain goes, the tougher it can be to ensure that every link in the chain is maintaining proper security measures.

How Can You Monitor FISMA Compliance?

Traditional third-party cyber risk assessment practices, while helpful, are often time consuming and inadequate because they only provide a brief snapshot of a vendor’s security posture. And yet, as recent third-party cyberattacks like SolarWinds ORION prove, periodic assessments are not enough. Only continuous and automated monitoring -- which FISMA calls for -- is sufficient to ensure that third-party vendors are always in compliance with FISMA standards.

Monitoring fourth parties is even more challenging, as it requires a deep dive into subcontractors and other providers you may not even know are part of your supply chain. Many of these organizations may be smaller companies -- some consisting of only a few employees -- that may not have the means to create strong security programs of their own. This makes them particularly vulnerable, and understanding the connections between them and your third-party vendors even more important.  

How Can Security Ratings Support Compliance?

Security ratings provide a measurable metric to determine third- and fourth-party risk. A security rating gives clear insight into your vendors’ cybersecurity postures, and offers CISOs and other members of the executive team an easily interpretable gauge of risk levels. The higher the rating, the lower the risk. A low vendor score may indicate heightened risk while presenting an opportunity to have an honest conversation with the vendor about the need to enhance their security measures.

Security ratings are derived from continuous monitoring of agencies and their vendor partners, thus satisfying one of the core FISMA requirements. Through continuous monitoring, you can proactively maintain FISMA compliance by addressing issues as they arise.

Want to learn more about third party risk management?

Download our ebook, which addresses ways to make your vendor lifecycle management more efficient without sacrificing security. It’s a valuable resource that can help you mitigate third-party risk and help strengthen your FISMA framework.

5 tips to manage third-party risk

Suggested Posts

What We Can Learn About Backdoor Attacks From WordPress

Millions of organizations world-wide rely on WordPress for website creation and management. In fact, currently there are over 75 million sites that use WordPress for their operations. The Walt Disney Company, BBC America, Microsoft News,...


Why The DOD Is Making Cybersecurity Maturity Evaluation Mandatory (And Why You Should Too)

Government agencies in the United States are yet again suffering from a widespread data hack, this time originating from Microsoft Exchange servers. This breach comes less than five months after the SolarWinds breach exposed vulnerabilities


How to Measure Cybersecurity Risk Across Your Digital Ecosystem

Cyber risk is everywhere. As organizations become increasingly interconnected — across business units, geographies, subsidiaries, remote offices, and third-party networks — the digital ecosystem is expanding rapidly. And this increased ...


Subscribe to get security news and updates in your inbox.