FISMA Audit & FIPS 199 Assessments

FISMA Audit & FIPS 199 Assessments

NIST SP 800-171 and Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 Compliance Services

Need help with NIST SP 800-171?

If you are a non-federal organization that operates and maintains systems storing, processing or transmitting Controlled Unclassified Information (CUI), the federal government’s security requirements outlined in the National Institute of Standards and Technology — NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations — affects you. Failure to comply may affect new and current federal and Department of Defense (DoD) contracts.

As your expert security partner, FRSecure can provide you with the necessary assessment and consulting services to meet the NIST SP 800-171 and DFARS security requirements. FRSecure offers two gap analysis options to help determine how close your organization and current information security program are to meeting these federal requirements.

What is a FIPS 199/FISMA audit?

A FISMA assessment or audit is designed to determine areas of compliance and areas requiring remediation to become FISMA compliant. FRSecure assesses the Client’s current information security practices and controls against those listed in National Institute of Standards and Technology (“NIST”) Special Publication 800-53 Revision 3 (“SP800-53 Rev. 3”); “Recommended Security Controls for Federal Information Systems and Organizations”.

This assessment starts with determining the appropriate Federal Information Processing Standard (“FIPS”) Publication 199 Security Assurance Level (“SAL”), and then proceeds through assessing the appropriate security controls.

Why would I want a FIPS 199/FISMA audit?

FISMA audits or assessments are most common in government organizations or in organizations that do work for the government. For organizations that fit this description, FISMA compliance is often a requirement.

What is the process for completing a FIPS 199/FISMA audit?

On a high-level, the FISMA audit process is comprised of the following steps:

  1. Determine the appropriate Federal Information Processing Standard (“FIPS”) Publication 199 Security Assurance Level (“SAL”)
  2. Conduct a FISMA gap analysis to determine areas of compliance and areas requiring remediation to become FISMA compliant

Assess the organization’s current information security practices and controls against those listed in National Institute of Standards and Technology (“NIST”) Special Publication 800-53 Revision 3 (“SP800-53 Rev. 3”); “Recommended Security Controls for Federal Information Systems and Organizations”.

Assess controls in the following areas of information security:

  • Access Control
  • Awareness and Training
  • Audit and Accountability
  • Security Assessment and Author
  • And many more…

What are the deliverables of a FIPS 199/FISMA audit?

Deliverables for a FISMA audit are:

  • Executive Report
    • The executive report contains a description of the assessment and an executive summary. A high-level summary of compliance and detail is provided on the individual standards including variance information and compliance by common groupings.
  • FISMA Analysis Detail Report
    • The detail report builds on the contents of the executive report by adding a gap analysis, questions and answers sections. The gap analysis lists each component question where the answers did not meet the required Security Assurance Level (“SAL”). Questions and answers are sorted by rank. Color codes are included to present a better compliance picture for each question.

What does a FIPS 199/FISMA audit cost?

The cost of FISMA audits or assessment are largely determined by the size and complexity of the environment.  Because of this, FRSecure strives to determine the best possible approach for our clients to ensure successful completion of the audit in a cost effective way.  All you need to do is spend a few minutes on the phone with our team to make sure we are delivering exactly what you need and want.

What FIPS 199/FISMA audit options are there?

Option 1 Full FISA with Gap Analysis

Our Full Information Security Assessment (FISA) leverages and references current security frameworks and standards found in ISO/IEC 27001:2013 and the NIST Cybersecurity Framework (CSF), both of which map to the NIST SP 800-171 security requirements.

The four phases of a FISA are:

  • Phase 1:Administrative Controls The people part of security, including risk management, security governance, policies, standards, training and employee awareness.
  • Phase 2:Physical Controls How much does your anti-virus protection mean to you if someone steals your server? Physical controls are an essential and often overlooked part of your security strategy.
  • Phase 3: Technical Controls (Internal) We affectionately call this the gooey center. Most organizations do a pretty good job at securing the technical perimeter (firewalls, intrusion detection, etc.), but sometime neglect the controls that are essential for an effective defense-in-depth strategy.
  • Phase 4:Technical Controls (External) This category covers how effective your organization is at keeping the bad guys out of your network.

The FISA assessment is comprehensive. From that, FRSecure will map the relevant NIST controls and provide a gap analysis.

Your organization will receive all our standard FISA deliverables, which includes the executive summary, the full report and the action plan. You will also receive an additional report that will map the FISA result to the NIST 800-171 controls. The gap analysis and the FISA action plan can be used to build your remediation plan. This option provides both an overall security assessment against industry best practices and the information needed to begin addressing gaps in your CUI protection measures.

Option 2 Gap Analysis

Your other option is a more narrowly scoped assessment of how well your Information Security Program meets the security requirements outlined in the NIST 800-171 controls. Your organization will receive a report displaying each control and your level of compliance with that control. While this option will get you a final gap analysis to build your remediation plan from, it does not assess your full information security program against industry best practices.

With a completed NIST SP 800-171 gap analysis FRSecure can help your organization develop a System Security Plan (SSP), Plan of Action & Milestones (POA&M) and help remediate gaps in policy, process and/or training.   Our expert team has proven experience in establishing effective, measurable and enforceable organizational controls in support of DoD, federal, financial and healthcare compliance frameworks.