4 Things to Know About FISMA

Brian Thomas | January 11, 2021 | tag: Third Party Risk Management

Recently we wrote about the top cybersecurity frameworks to reduce cybersecurity risk, and the Federal Information Security Management Act (FISMA) certainly belongs in that list. But what is FISMA? Who does it apply to? Why is it so important?

Let’s take a look at four things to know about FISMA, from what it is to how to monitor FISMA compliance.

What Is FISMA?

Put simply, FISMA provides federal agencies with guidance to create effective cybersecurity programs that protect government information. FISMA sets standards for both first- and third-party compliance, ensuring that agencies are not only secure themselves, but also that any vendors they work with continue to maintain high security standards. The framework includes nine steps to better cybersecurity, ranging from identifying and implementing security controls to continuous monitoring and evaluation.

FISMA calls for a holistic and measurable approach to cybersecurity. Agencies and their vendors must create cyber security KPIs and metrics to show they’re successfully protecting their information and performing annual security reviews and continual risk assessments. This information is necessary to demonstrate FISMA compliance.

What Does FISMA Mean For You?

If you’re a federal security manager, FISMA requires you to gain complete and near real-time visibility into your own networks and those of your vendors. That means any third parties you use must also be in compliance. 

But the threat doesn’t stop with third parties; it’s critical to ensure their partners -- fourth and nth parties -- are also secure. This can pose a significant challenge, for a couple of reasons. First, smaller vendors may not have the capacity or expertise to continuously monitor their own systems. And the deeper the supply chain goes, the tougher it can be to ensure that every link in the chain is maintaining proper security measures.

How Can You Monitor FISMA Compliance?

Traditional third-party cyber risk assessment practices, while helpful, are often time consuming and inadequate because they only provide a brief snapshot of a vendor’s security posture. And yet, as recent third-party cyberattacks like SolarWinds ORION prove, periodic assessments are not enough. Only continuous and automated monitoring -- which FISMA calls for -- is sufficient to ensure that third-party vendors are always in compliance with FISMA standards.

Monitoring fourth parties is even more challenging, as it requires a deep dive into subcontractors and other providers you may not even know are part of your supply chain. Many of these organizations may be smaller companies -- some consisting of only a few employees -- that may not have the means to create strong security programs of their own. This makes them particularly vulnerable, and understanding the connections between them and your third-party vendors even more important.  

How Can Security Ratings Support Compliance?

Security ratings provide a measurable metric to determine third- and fourth-party risk. A security rating gives clear insight into your vendors’ cybersecurity postures, and offers CISOs and other members of the executive team an easily interpretable gauge of risk levels. The higher the rating, the lower the risk. A low vendor score may indicate heightened risk while presenting an opportunity to have an honest conversation with the vendor about the need to enhance their security measures.

Security ratings are derived from continuous monitoring of agencies and their vendor partners, thus satisfying one of the core FISMA requirements. Through continuous monitoring, you can proactively maintain FISMA compliance by addressing issues as they arise.

Want to learn more about third party risk management?

Download our ebook, which addresses ways to make your vendor lifecycle management more efficient without sacrificing security. It’s a valuable resource that can help you mitigate third-party risk and help strengthen your FISMA framework.

5 tips to manage third-party risk

Suggested Posts

4 Tips for Reducing Your Company’s Cyber Exposure

If your organization is like many others, its cyber exposure continues to grow over time. During the pandemic, as attackers sought to exploit unprecedented changes in work environments, 35% of cyberattacks used previously unseen malware...


How to Set a Cybersecurity Baseline for Your Vendors – and Hold Them to It

Your supply chain is more critical now than ever. Vendors and third parties are essential to helping your organization scale to meet demand, gain access to greater resources, respond to new work models, and remain competitive.



Template: Everything you Need to Craft a Supplier Risk Management Plan

Third-party vendors are a vital part of your business ecosystem. But if you’re not careful, these companies can introduce cyber risk. The SolarWinds supply chain hack is a notable example of the jeopardy that even the most trusted...


Subscribe to get security news and updates in your inbox.