The world of compliance is filled with acronyms and abbreviations for some of its more complicated regulation systems and organizations. There is perhaps no better example than the long list of acronyms associated with federal compliance laws. “Federal Compliance Definitions: A Glossary of Terms”
The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense’s (DoD) newest verification mechanism designed to ensure that cybersecurity controls and processes adequately protect Controlled Unclassified Information (CUI) that resides on Defense Industrial Base (DIB) systems and networks.
Federal assessments like FedRAMP, FISMA and NIST 800-171 help mitigate the risk of data breaches to important federal government agencies and departments, making them mandatory assessments used for federal security standards. “Protecting the Nation: How to Achieve Federal Compliance”
Within the last year, multiple laws and regulations have significantly increased cybersecurity risk management responsibility for board of director members and C-level executives. Let’s review four of these developments to ensure you have a plan in place to meet the requirements. “Board Members and C-Levels: Are You Ready for 2018 Cybersecurity Risks?”
When pursuing federal clients or servicing existing federal clients, there are a number of unique compliance needs due to the sensitivity of the federal information. Standards such as FedRAMP and FISMA exist to create consistent security standards for organizations seeking federal agency clientele. FISMA, or the Federal Information Security Management Act of 2002 is the standard specifically used for federal agencies who are seeking an ATO, or an authority to operate by government agencies.
FedRAMP, or the Federal Risk and Authorization Management Program, is a government program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services.
FedRAMP vs. FISMA: Similarities
FISMA and FedRAMP have similarities in that they both share the same standard, utilizing the same controls set within NIST 800-53. These controls include:
- Access Controls
- Awareness and Training
- Audit and Accountability
- Security Assessment and Authorization
- Configuration Management
- Contingency Planning
- Identification and Authentication
- Incident Response
- Media Protection
- Physical and Environmental
- Personal Security
- Risk Assessment
- System and Service Acquisition
- System and Communications Protection
- System and Information Integrity
- Program Management
Additionally, both standards use the same requirements with the ability to offer prescriptive implementation levels depending on the risk within each system (low, moderate or high). Within each control family, the impact level and the number of controls tested can be broken down further. Below, you can review the number of controls tested at each impact level for both FISMA and FedRAMP.
Now that we understand the similarities among the two standards let’s begin to understand the differences.
FedRAMP vs. FISMA: Understanding the Differences
When becoming FISMA compliant, organizations are awarded an ATO from the specific federal agency to the organization, which is considered a one-to-one process. A one-to-one process means that each agency that an organization is seeking authorization from will have different requirements because of the unique needs that an agency may have, and thus multiple ATOs from multiple agencies must be maintained in order to keep those federal contracts. Thus, each authorization is done one at a time.
When becoming FedRAMP compliant, organizations are awarded an ATO that can be leveraged by any federal agency, which supports a “do once, use many” framework that provides a streamlined process for CSPs. FedRAMP, because of this framework, is more rigorous as it is intended to be used by any agency. In addition, FedRAMP is specifically designed with the needs of CSPs in mind, making it the appropriate assessment for cloud providers. Organizations are provided a P-ATO, provisional authorization to operate, or ATO, authorization to operate if a 3PAO’s, or third-party assessment organization, determines that the provider can demonstrate that the cloud services meet the baseline controls in FedRAMP. Once the 3PAO assesses and reviews the documentation, the results are submitted for final revision, at which time, an organization is awarded a P-ATO or ATO.
Additionally, FedRAMP’s authorization program requires that cloud providers receive an independent security assessment conducted by a 3PAO, or third-party assessment organization. Federal organizations are required to utilize companies that are FedRAMP-authorized when purchasing cloud services.
Becoming NIST 800-53 Compliant
As an accredited 3PAO, A-LIGN is able to manage your security needs and help you decide which standard is the best fit for your company. Understanding the differences between FedRAMP and FISMA is the first step to deciding which standard is appropriate for your organization based on organization type and compliance goals.
Regardless of the assessment that is right for your organization, the NIST guidelines allow organizations to use cloud services with increased security and efficacy. Contact the A-LIGN team today to discuss the benefits of FISMA or FedRAMP for your organization.
If you have any questions on becoming compliant with NIST 800-53 standards, please reach out to one of A-LIGN’s experienced assessors at firstname.lastname@example.org or 1-888-702-5446.