Anyone working with a federal agency will face one of these sooner or later. The best way to sail through is to know what auditors are looking for.

Adam Ely, COO, Bluebox

March 18, 2010

4 Min Read

InformationWeek Green - Mar. 22, 2010 InformationWeek Green Download the entire Mar. 22, 2010 issue of InformationWeek, distributed in an all-digital format as part of our Green Initiative
(Registration required.)
We will plant a tree
for each of the first 5,000 downloads.

The Federal Information Security Management Act, known as FISMA, is typically thought to apply only to government organizations. However, contractors and vendors that provide services to, manage systems on behalf of, or maintain close relationships with a government agency may be held to similar standards.

That can be a problem because FISMA regulations are confusing at best and more commonly just plain overwhelming. Not surprisingly, a cottage industry has sprung up of expensive contractors who promise FISMA help.

Here's what they don't want you to know: Staying on the right side of FISMA auditors is a matter of common sense and solid security best practices. You're probably already doing much of what's required if you're complying with other security requirements, like PCI for payment accounts data security.

What follows are 10 commonsense steps you can take to prepare for a FISMA audit. While basic FISMA compliance won't always meet every government organization's security requirements--for example, you may be required to implement stricter data control requirements or a more involved change control process--you will have a sturdy base to build on.

1. Don't let details overwhelm you.

When FISMA was drafted eight years ago, its six tenets were nothing less than groundbreaking. Where information security had long been an afterthought in most government agencies, it was brought to the forefront and made a requirement.

While these items are broad, their intent can be distilled: Agencies and their contractors need to build frameworks to address information security and risk management within their organizations. An accountable party must be tasked with information security, so that it won't fall by the wayside. And the government recognized, possibly for the first time, that the private sector has many benefits to offer in terms of protecting public information assets.

FISMA provides a bare-minimum starting point for organizations to build and take responsibility for their information security programs.

2. Protect the data.

Throughout FISMA, there's an emphasis on protecting information rather than systems. Systems and system security are important, of course, but in most cases, it's the data on these systems that has the most value.

Look at the data that's critical to your organization and the agency you work with. Work outward to the systems, segments, and people around that data. This will not only better align you with FISMA, it will give you a more cost-effective, risk-based security program.

To read the rest of the article,
Download the Mar. 22, 2010 issue of InformationWeek

Best Practices: 10 Steps to Ace a FISMA Audit

Become a subscriber: $99 per person per month, multiseat discounts available. Subscribe and get our full report on acing a FISMA audit

What you'll find:

  • More on who should be responsible for data security

  • A deeper discussion of acceptable risks

  • More on automating reporting

  • Links to sites that provide guidance on FISMA compliance

Get This And All Our Reports

Read more about:


About the Author(s)

Adam Ely

COO, Bluebox

Adam Ely is the founder and COO of Bluebox. Prior to this role, Adam was the CISO of the Heroku business unit at Salesforce where he was responsible for application security, security operations, compliance, and external security relations. Prior to Salesforce, Adam led security and compliance at TiVo and held various security leadership roles within The Walt Disney Company where he was responsible for security operations and application security of Walt Disney web properties including,, and

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights