With questions surfacing around CMMC and the changing regulatory landscape, Tony Bai, Federal Practice Lead at A-LIGN, offers his expert advice on a variety of federal compliance topics to help you understand what frameworks your organization should care about, how you can prepare and what is on the horizon for federal compliance.
There are more than 20 optional regulatory factors that an organization can consider as part of a HITRUST assessment. These are individual options, based on specific industry requirements, and can be quite tricky to parse.
“5 HITRUST Regulatory Factors to Consider for International and State-level Privacy Compliance”
Our discussion of HITRUST regulatory factors continues with a focus on federal compliance and their influence on HITRUST. Here are 7 HITRUST regulatory factors to consider for federal compliance, and our recommendations on how to address them.
“7 HITRUST Factors to Consider for Federal Compliance”
The world of compliance is filled with acronyms and abbreviations for some of its more complicated regulation systems and organizations. There is perhaps no better example than the long list of acronyms associated with federal compliance laws. “Federal Compliance Definitions: A Glossary of Terms”
Federal assessments like FedRAMP, FISMA and NIST 800-171 help mitigate the risk of data breaches to important federal government agencies and departments, making them mandatory assessments used for federal security standards. “Protecting the Nation: How to Achieve Federal Compliance”
In an effort to stabilize the health insurance market and provide additional ways for consumers to access coverage, the Center for Consumer Information and Insurance Oversight (CCIIO) and the Centers for Medicare and Medicaid (CMS), have launched a new streamlined and simplified enhanced direct enrollment (EDE) process. “Operational Readiness Review for Enhanced Direct Enrollment Pathway”
When pursuing federal clients or servicing existing federal clients, there are a number of unique compliance needs due to the sensitivity of the federal information. Standards such as FedRAMP and FISMA exist to create consistent security standards for organizations seeking federal agency clientele. FISMA, or the Federal Information Security Management Act of 2002 is the standard specifically used for federal agencies who are seeking an ATO, or an authority to operate by government agencies.
FedRAMP, or the Federal Risk and Authorization Management Program, is a government program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services.
FedRAMP vs. FISMA: Similarities
FISMA and FedRAMP have similarities in that they both share the same standard, utilizing the same controls set within NIST 800-53. These controls include:
- Access Controls
- Awareness and Training
- Audit and Accountability
- Security Assessment and Authorization
- Configuration Management
- Contingency Planning
- Identification and Authentication
- Incident Response
- Media Protection
- Physical and Environmental
- Personal Security
- Risk Assessment
- System and Service Acquisition
- System and Communications Protection
- System and Information Integrity
- Program Management
Additionally, both standards use the same requirements with the ability to offer prescriptive implementation levels depending on the risk within each system (low, moderate or high). Within each control family, the impact level and the number of controls tested can be broken down further. Below, you can review the number of controls tested at each impact level for both FISMA and FedRAMP.
Now that we understand the similarities among the two standards let’s begin to understand the differences.
FedRAMP vs. FISMA: Understanding the Differences
When becoming FISMA compliant, organizations are awarded an ATO from the specific federal agency to the organization, which is considered a one-to-one process. A one-to-one process means that each agency that an organization is seeking authorization from will have different requirements because of the unique needs that an agency may have, and thus multiple ATOs from multiple agencies must be maintained in order to keep those federal contracts. Thus, each authorization is done one at a time.
When becoming FedRAMP compliant, organizations are awarded an ATO that can be leveraged by any federal agency, which supports a “do once, use many” framework that provides a streamlined process for CSPs. FedRAMP, because of this framework, is more rigorous as it is intended to be used by any agency. In addition, FedRAMP is specifically designed with the needs of CSPs in mind, making it the appropriate assessment for cloud providers. Organizations are provided a P-ATO, provisional authorization to operate, or ATO, authorization to operate if a 3PAO’s, or third-party assessment organization, determines that the provider can demonstrate that the cloud services meet the baseline controls in FedRAMP. Once the 3PAO assesses and reviews the documentation, the results are submitted for final revision, at which time, an organization is awarded a P-ATO or ATO.
Additionally, FedRAMP’s authorization program requires that cloud providers receive an independent security assessment conducted by a 3PAO, or third-party assessment organization. Federal organizations are required to utilize companies that are FedRAMP-authorized when purchasing cloud services.
Becoming NIST 800-53 Compliant
As an accredited 3PAO, A-LIGN is able to manage your security needs and help you decide which standard is the best fit for your company. Understanding the differences between FedRAMP and FISMA is the first step to deciding which standard is appropriate for your organization based on organization type and compliance goals.
Regardless of the assessment that is right for your organization, the NIST guidelines allow organizations to use cloud services with increased security and efficacy. Contact the A-LIGN team today to discuss the benefits of FISMA or FedRAMP for your organization.
If you have any questions on becoming compliant with NIST 800-53 standards, please reach out to one of A-LIGN’s experienced assessors at [email protected] or 1-888-702-5446.
FISMA, or the Federal Information Security Management Act of 2002, assesses the controls outlined in NIST 800-53. You can review those requirements in Figure 1, below.
One of the benefits of FISMA is that it provides different implementation options depending on the levels of potential impact for an organization or individual if there were a security breach. A breach of security could be a loss of confidentiality, integrity, or availability. The three FISMA implementation levels are: low, moderate and high.FISMA established security guidance for federal entities and their agencies to adhere to, and thus organizations looking to win government contracts must adhere to the standards. The focus of this program is to improve the security of information through the creation of clear standards that can be used by all deferral agencies, in order to protect the security of information and information systems.
Low-impact systems are systems that, if compromised in some way, would only have limited adverse effects on the organization or individuals.
Moderate-impact systems with a breach in security result in a serious adverse effect on an organization’s operations, organizational assets or individuals.
High-impact systems are of critical importance to a government entity. A breach of any kind would result in severe or catastrophic amounts of damage to the organization, and could potentially result in a shutdown of operations, significant fiscal loss, physical damage to individuals, or a severe loss of intellectual property.
Achieving FISMA Certification
For organizations looking to win government contracts, FISMA provides clear requirements for the development, documentation and implementation of an information security system for its data and infrastructure. To learn more about implementing FISMA requirements as set in NIST 800-53, please contact us at [email protected].