As rapid technology changes continue in the defense industry, security, risk and compliance concerns are at the forefront of every contractor’s mind. With so many different policies and regulations regarding NIST, FISMA and FedRAMP, how can contractors ensure they know how all three of these entities are connected and function within the DoD community?
A Quick Guide to NIST, FISMA, and FedRAMP
NIST and FISMA: A Dependent Relationship
NIST (the National Institute of Standards and Technology) creates and releases guidance on best practices in numerous aspects of the hard sciences, including cybersecurity. The NIST Special Publications (SPs) on cybersecurity focus on a wide range of topics including security, privacy controls, risk management, and business continuity and contingency planning. These NIST standards are an essential aspect of federal information security readiness and lay the groundwork for the government’s approach to information security.
When working with NIST, it is hard not to notice its influence and relationship with the Federal Information Security Management Act of 2002 (FISMA) and its update in 2014 known as the Federal Information Security Modernization Act of 2014 (also known as FISMA). For government agencies and contractors to be compliant with FISMA, they need to be compliant with NIST standards as NIST builds the framework for FISMA. So, how do NIST and FISMA relate to another critical DoD security aspect: FedRAMP?
Another Member of the Community: FedRAMP
FedRAMP stands for the Federal Risk and Authorization Management Program. FedRAMP is a government-wide solution to secure cloud services. This critical program “enables Agencies to rapidly adapt from old, insecure legacy IT to mission-enabling, secure, and cost-effective cloud-based IT.” The program currently covers five million assets and 1/3 of the world’s internet traffic. Additionally, FedRAMP creates $130 million in cost avoidance.
FedRAMP and NIST are connected by the fact that FedRAMP is built upon several NIST documents. NIST SPs that are related to FedRAMP include 800-53 (system controls) and 800-37 (risk management).
The DoD world is highly focused on security compliance and risk management. For both government agencies and defense contractors, it is essential to know how the three most significant players, NIST, FISMA, and FedRAMP relate to each other and function. A greater understanding of these critical entities will prevent security issues and avoid unnecessary risk.
Are you a DoD contractor with questions and concerns regarding NIST, FISMA, and FedRAMP and how they affect your business? If so, it is best to consult a professional security solutions expert. At Entrust Solutions, we provide our clients with premier security consulting and services to ensure compliance with DoD regulations and policies.