10 Steps To Ace A FISMA Audit

Anyone working with a federal agency will face one of these sooner or later. The best way to sail through is to know what auditors are looking for.

Adam Ely, COO, Bluebox

March 18, 2010

8 Min Read

The Federal Information Security Management Act, known as FISMA, is typically thought to apply only to government organizations. However, contractors and vendors that provide services to, manage systems on behalf of, or maintain close relationships with a government agency may be held to similar standards.

That can be a problem because FISMA regulations are confusing at best and more commonly just plain overwhelming. Not surprisingly, a cottage industry has sprung up of expensive contractors who promise FISMA help.

Here's what they don't want you to know: Staying on the right side of FISMA auditors is a matter of common sense and solid security best practices. You're probably already doing much of what's required if you're complying with other security requirements, like PCI for payment accounts data security.

What follows are 10 commonsense steps you can take to prepare for a FISMA audit. While basic FISMA compliance won't always meet every government organization's security requirements--for example, you may be required to implement stricter data control requirements or a more involved change control process--you will have a sturdy base to build on.

1. Don't let details overwhelm you.

FISMA's Original Purpose

Provide a comprehensive framework for ensuring the effectiveness of information security controls that support federal operations and assets. Establish effective government-wide management and oversight of related information security risks, including coordination of civilian information security efforts. Provide for development and maintenance of minimum controls required to protect federal information and information systems. Virtual Iron could go head-to-head with VMware in the data center, but it's building its base from below with an easy-to-administer product at a very aggressive price. Acknowledge that commercially developed information security products offer advanced,dynamic, robust, and effective information security. Recognize that agencies should be able to select specific hardware and software from among commercial products.

When FISMA was drafted eight years ago, its six tenets were nothing less than groundbreaking (see box, right). Where information security had long been an afterthought in most government agencies, it was brought to the forefront and made a requirement.

While these items are broad, their intent can be distilled: Agencies and their contractors need to build frameworks to address information security and risk management within their organizations. An accountable party must be tasked with information security, so that it won't fall by the wayside. And the government recognized, possibly for the first time, that the private sector has many benefits to offer in terms of protecting public information assets.

FISMA provides a bare-minimum starting point for organizations to build and take responsibility for their information security programs.

2. Protect the data.

Throughout FISMA, there's an emphasis on protecting information rather than systems. Systems and system security are important, of course, but in most cases, it's the data on these systems that has the most value.

Look at the data that's critical to your organization and the agency you work with. Work outward to the systems, segments, and people around that data. This will not only better align you with FISMA, it will give you a more cost-effective, risk-based security program.

3. Accept that some risk is OK.

A 100% clean assessment checklist means the organization being assessed either lied or the assessor missed something, because there is always something to be found. Even the government accepts this as part of FISMA, stating that agencies must implement policies and procedures to "cost-effectively reduce risks to an acceptable level."

There it is in black and white--the U.S. government telling you to be cost prudent, take a risk-based approach, and accept risk when necessary.

What's acceptable will vary from auditor to auditor. Use common sense, and when in doubt, do some research to understand how best-practices frameworks handle the risk. Typically, if you can provide reasonable thought behind a decision and show compensating controls in other areas, auditors will be open to discussing the situation.

4. Appoint someone to own data security.

FISMA requires organizations to appoint someone responsible for information security, with accountability ultimately rolling up to the CIO. Outside the government, many organizations have adopted other management paths for information security. Don't get hung up on the "letter of the law" here: The CIO doesn't need to be the person responsible. What must be in place, though, is a person who has ultimate oversight over information security matters, policies, and risk management and who's free from conflicts that may arise from other responsibilities.

That said, don't go too far down the ladder, either. A single, lowly system or network administrator responsible for security as part of a greater duty set isn't going to pass muster.

5. Implement a written plan and a budget.

Don't make security part of the miscellaneous bucket, where you force admins to rob Peter to pay Paul. This indicates to auditors a lack of planning and foresight. Set a budget, even if it's a small one to start, to show your clients and assessors that you're serious about security.

6. Embrace reporting.

Like many IT pros, I dislike reports. But the fact is, reports can actually save time and very often reduce misunderstandings. Keep in mind that assessors want their reports, and FISMA requires annual reporting for government agencies.

Automation is key here, so invest in software that will save time and money in the long run. Spend the time needed to automate as many reports as you can. Pretty is not key.

Implementing technologies to provide better insight, refine reporting metrics, and reduce workload will go a long way with auditors while increasing the effectiveness of your security program. For example, a security information and event management system such as ArcSight or OSSIM can be invaluable in helping to correlate information from which metrics can be derived and reports built.

7. Note that monitoring is mandatory.

FISMA requires continuous monitoring of certain controls, such as system changes, configuration management, ongoing assessments of security controls, and reporting activities. Monitoring can be costly and overwhelming, so look at what tools you already have and determine if they can be used to meet this requirement. For example, are you logging activity already? Is someone looking at reports periodically, and does the tool support automated alerts? Great--pass security logs through this process. If not, look to automate as much as possible without breaking the bank, such as with the open source OSSIM tool. Also go with a system that can benefit the organization in ways other than just security, such as Splunk for log management.

8. Test controls and be able to prove you did so.

FISMA requires that organizations evaluate the controls they have in place regularly, at least annually. Many companies stumble with this. Testing needs to be thought out. Spend time planning this step to meet these goals:

  • Thoroughly evaluate the controls;

  • Retain evidence of evaluation and findings; and

  • Implement a process to remediate findings.

Keep proper documentation, plan this step before beginning the evaluation, and assign someone ownership of the remediation project--it will make the process much smoother. And to avoid stumbling in this area, employ an audit-tracking system.

9. Follow the leader.

Investigate the controls stressed by the agency that will be assessing your program, and follow its lead. If you have yet to win a contract, search Google for information security policies and requirements for providers at the agency you want to work with. If you can't find anything online, call the office of the CIO and ask for guidance.

10. Still confused? Time for outside help.

Don't be afraid to ask your assessors or clients for recommendations on security products and services. If this isn't possible, bring in a consultant familiar with FISMA to evaluate your plans. A few hours of consulting fees may save you a lot of hassle and cost during the remediation process.

We worked with one information security manager whose company was undergoing a review by a federal agency. He read everything he could and talked to colleagues, but in the end what paid off most was attending an event where federal security practitioners were available for questions. There, he met someone willing to provide pointers and insight into specific control areas free of charge.

When all is said and done, FISMA compliance isn't much different from other standards. Bottom line: Look at a FISMA audit as an impetus to implement better security, provide value to your customers, and do the right thing by those whose data you hold.

Adam Ely is director of security for TiVo.

Write to us at [email protected].

About the Author(s)

Adam Ely

COO, Bluebox

Adam Ely is the founder and COO of Bluebox. Prior to this role, Adam was the CISO of the Heroku business unit at Salesforce where he was responsible for application security, security operations, compliance, and external security relations. Prior to Salesforce, Adam led security and compliance at TiVo and held various security leadership roles within The Walt Disney Company where he was responsible for security operations and application security of Walt Disney web properties including ABC.com, ESPN.com, and Disney.com.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights