The Federal Information Security Management Act, or FISMA, was created to protect the security of government data. It’s the role of any government employee or agency, along with any contractor or vendor that works with the government, to make sure they’re compliant with FISMA. This includes regular security checks and monitoring, training for employees, and plans to recover data breaches.
Compliance can be confusing and frustrating for vendors who are new to FISMA compliance. Follow this guide, along with this FISMA Compliance Checklist, to make sure you have everything you need for your audit.
You’re Reducing Risk, Not Eliminating It
Image via Flickr by perspec_photo88
Many agencies try to reach a risk level of zero to achieve a 100 percent compliance score on their report. This is nearly impossible and can leave many companies in a worse place because they’re trying to cover up problems or find makeshift solutions for them. Your company’s time is better spent identifying ways to reduce risk and providing solutions for potential breaches or hacks.
Before your audit, make sure you have processes in place in case something happens. How will you be alerted? What steps will you take to mitigate the data? This proves that you’re actively taking steps and thinking ahead, instead of covering up potential weaknesses.
Monitoring is Mandatory; Reporting Will Help
FISMA requires small businesses and contractors to monitor the systems they use to ensure data security. This includes setting alerts when something is broken and implementing plans to fix the system and maintain data integrity. Monitoring will quickly help your company stay in FISMA compliance, but reporting will make sure your business goes the extra mile.
Your auditors will expect annual reports on the security of the data, but you may want to invest in weekly or monthly automated reports that demystify your security levels and allow management to see where any potential weaknesses are. The reports will also allow you to see trends over time and spot small problems before they become major ones. This proves that you’re capable of making changes to the government auditors.
Test Your Controls and Backup Plans
Treat your FISMA controls like a fire alarm: If the alarm is never tested or regularly maintained, it will be completely useless in case of a fire. Throughout the year, run tests of your protocols to see if they make sense and identify problems in the flow and workload. Proof that your systems work and documentation of adjustments will go a long way during your annual FISMA audit.
Keep in mind that the government levies fines for data breaches based on the efforts of the company to keep the data safe. If the vendor did everything it could to fix the hole as soon as it was identified, then it will receive a more lenient sentence than a company that couldn’t fix the hole and lost data for a significant period of time. In the case of FISMA, time is money.
Your FISMA auditor wants to make sure you know what you’re going to do to prevent a breach and why. The audit is less about eliminating risk and more about knowing how to solve problems when they arise.