As rapid technology changes continue in the defense industry, security, risk, and compliance concerns are at the forefront of every contractor’s mind. With so many different policies and regulations regarding NIST, FISMA, and FedRAMP, how can contractors ensure they know how all three of these entities are connected and function within the U.S. Department of Defense (DoD) community? It all starts with understanding the relationship between NIST and FISMA.
A Dependent Relationship Between NIST and FISMA
NIST (the National Institute of Standards and Technology) creates and releases guidance on best practices in numerous aspects of the hard sciences, including cybersecurity. The NIST Special Publications (SPs) on cybersecurity focus on a wide range of topics, including security, privacy controls, risk management, and business continuity and contingency planning. These NIST standards are an essential aspect of federal information security readiness and lay the groundwork for the government’s approach to information security.
NIST relates to secure file sharing and information governance. To put this standard into the simplest of terms, it covers how you store, access, exchange, and govern sensitive (but unclassified) information with the DoD. Information under NIST 800-171 can be broken into two distinct types, Controlled Technical Information (CTI) and Controlled Unclassified Information (CUI).
When working with NIST, it is hard not to notice its influence and the clear relationship between NIST and FISMA (both the Federal Information Security Management Act of 2002, as well as its update in 2014, known as the Federal Information Security Modernization Act of 2014). For government agencies and contractors to be compliant with FISMA, they need to be compliant with NIST standards, as NIST builds the framework for FISMA.
How Can a Contractor Demonstrate Compliance with NIST?
There are several steps that a business can take to ensure NIST 800-171 compliance. When evaluating compliance, it is essential to locate and categorize information. Once an organization conducts an evaluation, the organization must then put a limit on information access and ensure a monitoring system is in place to guard against unauthorized access.
Compliance Step # 1: Locate systems in your network that contain CTI/CUI. Businesses need to review all locations where CTI/CUI may be stored. This includes central file shares, endpoints, mail servers, and any system where files may have been shared, stored, or transferred.
Compliance Step # 2: Categorize files and separate out CTI/CUI information. The NIST 800-171 regulation outlines the various categories of CTI/CUI information that must be categorized and labeled accordingly. Due to the wide-ranging nature of CTI/CUI data, there are many different categories that must be used. These categories are described in detail on the National Archives website.
Compliance Step # 3: Limit access to CTI/CUI data to only personnel who are authorized to use such information. This also includes limiting access based on the type of CTI/CUI data as categorized in step #2. For example, an employee who requires access to sensitive financial data would not necessarily require access to sensitive critical infrastructure data, and these types of accesses must be segregated.
Compliance Step # 4: Monitor all systems that have CTI/CUI information on them. Also, keep a log of who accesses the systems and when. This can be done with simple file access monitoring available in most software platforms. However, businesses must ensure the logs are accurate, complete, and preserved for a sufficient duration. Additionally, this monitoring requirement must ensure the information cannot be accessed through the use of “shared” or “non-attributed” accounts, as access logs would not be useful in such cases.
For businesses that partner with the DoD, it is vital to be compliant with NIST 800-171 to continue to work on DoD projects. By going through the simple process outlined above, compliance with NIST 800-171 can be guaranteed and demonstrated in the event of an audit.
How to Stay Compliant with FISMA
The Federal Information Security Management Act (FISMA) requires every federal agency to enact information security protocols for their information, assets, and systems. Not only do these government agencies have to maintain their own security, but also ensure that any other agencies, contractors, or entities handling their information provide for its security.
In addition, agencies must keep records about their information security. Each year, they must evaluate their information security procedures and disclose their findings to the Office of Management and Budget.
When it comes to complying with FISMA, the relationship between NIST and FISMA cannot be overstated. FISMA outlines a compliance framework that agencies and the contractors they work with must follow for their information systems. NIST’s guidelines and standards support and further develop FISMA’s framework.
6 FISMA Compliance Criteria
FISMA is a part of the E-Government Act of 2002 and requires the meeting of 6 compliance criteria. Many of these overlap with NIST compliance due to the dependent relationship between NIST and FISMA.
- Every federal agency, as well as the contractors they work with, must document every security system in their organization. They must also outline the relationships between these systems and the other systems used in their network.
- Federal agencies must categorize their information and systems to ensure that they have the highest level of security per the FIPS 199 “Standards for Security Categorization of Federal Information and Information Systems” document.
- In order to achieve FISMA compliance, federal organizations must make a detailed System Security Plan. This plan must be periodically reviewed and updated as well. The plan should include information about security policies and procedures, the security controls in place, and plans for any additional controls.
- Federal organizations must integrate any relevant security controls from the NIST SP 800-53 document. However, they are free to disregard any control that isn’t relevant to their agency or its information systems. These controls must also be included in the organization’s System Security Plan.
- FISMA also requires federal agencies to perform regular risk assessments. Another prime example of the interconnected relationship between NIST and FISMA, the NIST SP 800-30 document provides recommendations for administering these assessments. For instance, NIST dictates that risk assessments should be designed to pinpoint security risks at three levels: the organizational level, the business process level, and the information system level.
- Finally, federal agencies must earn FISMA Certification and Accreditation (C&A). This process involves four steps: initiation and planning, certification, accreditation, and continuous monitoring.
FISMA Compliance Best Practices
The best practices to ensure FISMA compliance include classifying information immediately to prioritize security controls and policies, automatically encrypting sensitive data based on its classification or risk level, and maintaining written evidence of FISMA compliance.
Obtaining FISMA C&A is essential to enhance the security of sensitive government information. Continuous monitoring, for instance, provides organizations with the information necessary to maintain a high level of protection while reducing vulnerabilities.
Additionally, companies operating in the private sector can also benefit from maintaining FISMA compliance. Following FISMA standards gives private organizations an advantage when seeking federal contracts. It ensures an organization is already prepared to fulfill its information security obligations when contracting for a federal agency.
Government agencies or associated private companies that fail to comply with FISMA requirements are subject to repercussions, including censure, federal funding reduction, and reputational damage.
How Contractors Are Affected by NIST and FISMA
As the DoD moves closer to automated security compliance, it is time for contractors to prepare for this change. Contractors should not only be aware of specific security requirements, but also the status of compliance by various agencies along with acceptable tools.
One of the best ways for contractors to prepare for this new automated world is to become familiar with NIST 800-171. In the NIST 800-171 standard, there are over 100 security requirements, with much of its focus on secure file sharing and information exchange for unclassified information. Per Washington Technology, there is a very high likelihood that NIST 800-171 will come into play when the government publishes final guidance for automated security compliance. So, how are various DoD agencies handling the automation of security compliance?
The NGA has been openly discussing automating their compliance process, aptly named ATO-in-a-Day (ATO stands for “authority to operate” and is a requisite component of federal information systems to be able to put them into service). This process is “designed to influence DevOps tools, processes and governance that are inclusive of information assurance and security.” ATO-in-a Day uses an unclassified platform that “provides 80% of the required security controls.” Currently, there are four main requirements for being able to utilize ATO-in-a-Day. One of the four requirements (number 3) stipulates that the software be built within the NGA DevOps continuous integration (CI) pipeline in Amazon Web Services (AWS).
A component of the DoD’s Threat Reduction Agency, the Joint Improvised-Threat Defeat Organized (JIDO) is currently “accrediting DevOps software stacks on both production and high-side networks.” They are using the RMF (Risk Management Framework) guidelines to accomplish this task.
The Department of Veterans Affairs is working to create an ATO-standardized cloud architecture in support of both AWS and Azure (Microsoft). This task is being conducted using FISMA as a guideline. The hope is to greatly reduce the administrative burden and make the process more efficient, along with shortening the time required to receive an ATO award.
The process toward automated security compliance continues to evolve in the defense environment. Many agencies are trying to prepare by implementing processes and strategies to meet this requirement. New tools are being utilized, such as OpenControl, to ensure a smooth transition. For DoD contractors, it is best to fully understand NIST 800-171 and FISMA, as there is a “high likelihood” these will be the framework when the government publishes official guidance. For the entire DoD community, preparation will be vital to a successful transition to automated security compliance now and in the future. So, how do NIST and FISMA relate to another critical DoD security aspect: FedRAMP?
Another Member of the NIST and FISMA Community: FedRAMP
FedRAMP stands for the Federal Risk and Authorization Management Program. FedRAMP is a government-wide solution to secure cloud services. This critical program “enables Agencies to rapidly adapt from old, insecure legacy IT to mission-enabling, secure, and cost-effective cloud-based IT.”
If your organization works on technology projects for the government and/or defense industry, you are likely familiar with the Federal Risk and Authorization Management Program, better known as FedRAMP. The program standardizes the process for the security assessment, authorization, and monitoring of cloud-based services used for the government and military. Its ultimate goal is to reduce the number of redundant security assessments. The program currently covers five million assets and one-third of the world’s internet traffic. Additionally, FedRAMP creates $130 million in cost avoidance.
The federal government created FedRAMP to implement a model of “do once, use many times” when it comes to assessing the security of cloud products and services used by government and defense agencies. Simply put, it fosters a framework to save money and time by removing redundancy from the process.
It is a mandatory program for all cloud deployments and services for any federal agency, no matter the risk level. The only exception involves private cloud deployments made for a singular agency and hosted on-site at a federal facility.
The Types of FedRAMP Authorizations
Two types of FedRAMP authorizations exist, known as a Provisional Authority to Operate (P-ATO) and Authority to Operate (ATO). The P-ATO is an initial approval of an authorization package for a cloud-based system or product. Naturally, the ATO is granted after the full assessment is completed.
There are two related designations identifying where the cloud system is in the authorization process. FedRAMP Ready means the system is ready for an initial assessment to receive a P-ATO. FedRAMP Authorized identifies systems passing the full process, ultimately receiving an ATO. As noted earlier, FedRAMP is designed to reduce redundancy in the security authorization process. Once contractors receive a FedRAMP authorization, they are able to reuse it with subsequent federal agencies. This obviously saves time and money.
FedRAMP and NIST are connected by the fact that FedRAMP is built upon several NIST documents. NIST SPs that are related to FedRAMP include 800-53 (system controls) and 800-37 (risk management).
Get Help Fulfilling Your Contract Today
The DoD world is highly focused on security compliance and risk management. For both government agencies and defense contractors, it is essential to know about the relationship between NIST and FISMA, as well as how FedRAMP relates to these two. A greater understanding of these critical entities will prevent security issues and avoid unnecessary risk.
Are you a DoD contractor with questions and concerns regarding NIST, FISMA, and FedRAMP? Are you looking to find a knowledgeable, professional, security solution expert to help you fulfill your contract? At Entrust Solutions, we provide our clients with premier security consulting and services to ensure compliance with DoD regulations and policies and to help them fulfill their contracts right away. Contact us today to learn how we can help you.