What is FISMA and How Do I Achieve Compliance?

The Federal Information Security Management Act, or FISMA as it is commonly known, was signed into law in 2002 as part of the Electronic Government Act of 2002 and later amended in 2014.

What is FISMA?

The Federal Information Security Management Act, or FISMA as it is commonly known, was signed into law in 2002 as part of the Electronic Government Act of 2002 and later amended in 2014. Its purpose is to improve government cybersecurity by creating information security risk management standards that government offices, contractors, and sub-contractors need to abide by.

FISMA requires agency heads to conduct annual reviews to ensure that their departments, contractors, and sub-contractors, are FISMA-compliant. Failure to keep FISMA guidelines can result in reduced federal funding and/or other penalties. Contractors and subcontractors who fail to comply with FISMA are in danger of losing their government contracts and facing resultant negative publicity that could lead to a long-term loss of business.

What is FISMA and How Do I Achieve Compliance_

FISMA Requirements

Information System Inventory

Any government department or private business subject to FISMA guidelines must keep an inventory of all information systems used by the business as well as keep track of integrations that enable one or more systems to work together.

Information Categorization

All information processed by a government agency or FISMA-accredited business must be categorized in accordance with its sensitivity. A company working with sensitive files will not only need to create and adhere to strict file storage guidelines but also ensure that all systems processing this information also adhere to high cybersecurity standards. Relatively sensitive information and non-sensitive information must likewise be stored and processed securely; however, the standards are lower than that set for highly classified information. If a company is working with mixed information (i.e. some non-sensitive information and some highly sensitive information) the standards applying to the most sensitive information must be put in place.

Security Planning and Controls

Security planning and controls must be put in place to ensure IT data and systems are secure at all times. This means that a company must create and regularly update a cybersecurity plan that includes cybersecurity rules for its employees, cybersecurity controls to prevent accidental or deliberate data leaks, and security practices that make it difficult for hackers to gain access to the corporate IT network. Additionally, a company or agency must continually monitor its cybersecurity performance to ensure there are no vulnerabilities that could be exploited by malicious third parties.

Three-Tiered Risk Assessment

Companies that want to receive or keep FISMA accreditation must be willing to conduct periodic three-tiered risk assessments. These assessments should look for risks at the organizational level, business process level, and information system level. The three-tiered risk assessment must also be conducted every time a company makes changes to its IT systems.


Companies that want to receive accreditation must conduct system documentation and risk assessments every single year. When these are finished, a senior company official is required to formally sign off on the security controls the company has put in place. If the company in question falls short of FISA guidelines, the company officials who signed their names on the dotted line are held responsible for the breach.

How did FISMA Fall Short?

Experts agree that FISMA has helped improve cybersecurity for government agencies and the contractors and subcontractors that work with them. However, it does have some serious flaws that have made it possible for hackers to gain access to federal agencies in recent years. As one expert accurately noted, FISMA offered a checklist of things to do to improve cybersecurity without bringing about a change in corporate culture that motivated company and agency employees to adhere to best cybersecurity practices. Others have pointed out that FISMA puts a premium on security planning without putting enough emphasis on information security.

The stats clearly show that FISMA was not enough to maintain a high cybersecurity standard for Federal agencies and departments. From 2014 to 2019, Federal government agencies have experienced more than 440 data breaches. A breach of the Office of Personnel Management in DC was particularly notable as it revealed not only personal information about 20 million current and former OPM employees but also sensitive information such as fingerprints. Another disastrous breach occurred in 2017 when cybersecurity firm UpGuard discovered data from the US Army Intelligence and Security Command on a public cloud that could easily be accessed by members of the general public. The data included classified information about the Department of Defense’s battlefield intelligence platform, it’s distributed common ground system, private keys for accessing intelligence systems, and hashed passwords. More than 100GB of data was compromised, with some of the data being available for both viewing and download.

From FISMA to the CMMC

To protect valuable data from breaches, hacks, and malware, the Department of Defense issued the Cybersecurity Maturity Model Certification (CMMC) in January 2020. Two updates have been made to the plan since then. The CMMC specifically targets the more than 300,000 contractors that partner with the DoD; what’s more, subcontractors that work with these contractors may also be required to receive CMMC certification.

CMMC builds on FISMA‘s cybersecurity guidelines but with one important difference: companies cannot certify compliance on their own. Instead, companies that need CMMC accreditation must be assessed by a third-party auditor. What’s more, the CMMC offers five levels of accreditation to make it easy for the DoD to determine the level of information that each of its contractors is able to handle. Level One accreditation, which is the lowest level, requires a company to maintain good cybersecurity practices such as selecting strong passwords and changing them often, using top-tier antimalware programs, and keeping software updated to prevent vulnerabilities that could lead to a breach. Levels Two and Three are intermediate while Levels Four and Five are advanced. Companies seeking advanced levels of accreditation must be able to withstand organized, targeted cyberattacks from rogue nations as well as individual hackers, adhere to all or nearly all NIST 800-171 controls, and have the tools and expertise required to continually improve cybersecurity capabilities.

What’s Next?

Sadly, not all companies that claimed to be FISMA compliant were actually keeping all FISMA cybersecurity guidelines. This is one of the reasons why the Department of Defense created the CMMC earlier this year. However, the good news is that companies that kept all pertinent FISMA regulations should have the tools and expertise in place to update to CMMC standards. This is particularly true for companies that only need basic or intermediate certification to handle DoD-related jobs. CMMC, like FISMA, requires companies to have written plans and procedures in place covering important topics such as:

  • Access control. Who has access to your data? Do suppliers and contractors that work with your firm have the appropriate level of CMMC certification? Do employees have access only to the data they absolutely must have to do their jobs?
  • Incident response plans. Even companies with top-tier cybersecurity measures in place aren’t 100% safe from hackers. Do you have measures in place to deal with an attack in progress or one that has been detected after the fact? How will you determine what data has been compromised and notify those who have been affected by the breach?
  • Network security. What measures do you have in place to protect your IT set-up from breaches? Do you use and regularly update a strong antivirus program and next-generation firewall software? Do you have strong mobile management and endpoint protection to ensure that devices connecting to your network from outside your office are fully secure? Do you have a VPN to protect data as it travels to and from your cloud server? Does your company conduct regular penetration testing to ensure there are no vulnerabilities that could be exploited by a malicious third party?
  • Change Management. FISMA makes it clear that a company must conduct a three-pronged risk assessment if changes are made to one’s IT set-up. Does your company have someone who can handle this task? Changes include not only software upgrades but changes in hardware as well.

Get Compliant Now

Achieving FISMA compliance is a good first step towards becoming CMMC compliant. It’s important to take measures now to improve your cybersecurity set-up, especially if you hope to bid on DoD contracts now or in the near future. The Department of Defense will require companies bidding on new contracts to have the appropriate level of CMMC certification and it takes time to not only achieve compliance but also schedule an appointment with a third party that can assess your set-up and provide needed accreditation.

Becoming FISMA and CMMC compliant is no small task, especially if your business is bidding on government contracts for the first time. Thankfully, you can avail yourself of professional help by partnering with an outsourced IT department that specializes in CMMC consulting. LaScala IT is a Michigan-based outsourced IT department that offers CMMC consulting and assistance to government contractors throughout the United States. Our firm, which has been in operation since 2010, can provide all the tools and technologies you need to not only achieve full compliance but also improve operational standards, maintain network speed and optimization, streamline work procedures to boost employee morale and productivity, and keep your devices and network free from hacks, malware, breaches, and other cyberattacks. Our services include:

  • Managed and Co-Managed IT Services. If you have one or more IT technicians, we will partner with your IT department to offer the additional tools and services you need. If not, our team of IT experts and our specialist subcontractors are prepared to take on 24/7 IT services and continually monitor your network to proactively prevent downtime, breaches, and other problems.
  • Cybersecurity Tools and Services. Our team continually stays abreast of IT trends and developments to ensure you have access to the best cybersecurity services on the market. We conduct full system reviews, endpoint cybersecurity checks, and penetration testing to ensure your IT set-up is safe at all times. We also proactively look for and eliminate vulnerabilities that could lead to a future breach.
  • Strategic IT Consulting. Our team of experts can help you create an efficient, fully secure IT set-up that will meet your current and future needs. Our team also offers employee IT training to help your staff members learn how to manage new programs easily and securely.

Are you looking for an outsourced IT department with full and co-managed cybersecurity plans that is familiar with FISMA, CMMC, and other federal cybersecurity regulations and standards? If so, get in touch with us at your convenience to learn more about our services and/or to make an appointment with our team of IT experts. We take pride in helping companies not only achieve certification but also improve their overall cybersecurity standards to provide a secure, optimized work environment now and in the future.

Speak with a LaScala IT Expert

Provide your details and speak with a LaScala IT information technology expert or call for additional information.