IS Decisions logo

IS Decisions Blog

FISMA compliance: Key security requirements

Read on for an overview of FISMA compliance and learn how UserLock and FileAudit are recognized as efficient software solutions for 3 key NIST 800-53 control families.

Published May 24, 2013
FISMA compliance

In the United States, the Federal Information Security Management Act (FISMA) compliance is a matter of national security. And, for even the most seasoned and savvy IT pros, navigating security compliance is anything but simple.


What is FISMA?

Signed into law in 2002 and updated in 2014 as the Federal Information Security Modernization Act, FISMA applies to all government agencies, with no exceptions. FISMA mandates that all government agencies must create, implement and monitor an information security program to protect government information, systems and data. And the requirements also apply to partner agencies or third-party vendors who may have access to the agency’s information, operations and systems.

What is FISMA compliance?

The Federal Information Security Management Act (FISMA) is designed to help agencies and departments of the federal government secure their data. Agencies that currently use, or plan to use the cloud must go through the FedRAMP program to assess and ensure security.

Obtaining and maintaining FISMA compliance requires passing six separate categories of requirements:

  • Information system inventory

  • Risk categorization

  • System security plan

  • Security controls

  • Risk assessments

  • Accreditation and certification

Chief Information Officers (CIOs), Inspectors General (IGs) and officials of government programs are required to conduct annual reviews of their information security program and report their findings to the Office of Management and Budget (OMB) and the Department of Homeland Security (DHS). Reports on each agency’s compliance are sent to Congress annually, and must include an independent cyber security evaluation.

What is the difference between FISMA and NIST?

FISMA is the law that lays out the cybersecurity standards for government agencies. As an agency of the U.S. Department of Commerce, the National Institute of Standards and Technology (NIST) lays out a set of controls and guidelines supporting FISMA which Federal agencies and organizations supporting them must follow.

Read more: Become NIST compliant

NIST 800-53: Key steps to achieving FISMA compliance

Specifically, NIST 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations,” lays out key steps to getting FISMA compliant. The 18 control families and their 205 respective controls encompass everything from physical security to information systems security to spam prevention and are designed to work for any organization as long as the controls are selectively chosen and implemented.

The intent of these controls is to take a calculated risk-based approach to security by implementing just the right amount of controls. Doing so not only saves money, but also helps to improve your organization’s operational efficiencies.

Below are four key control families that help form the cornerstones of FISMA compliance.

Identification and Authentication (IA)

This set of controls is intended to ensure that the information system uniquely identifies and authenticates users.

  • Identification: An act or process that presents an identifier to a system so that the system can recognize a system entity (e.g., user, process, or device) and distinguish that entity from all others.

  • Authentication: A process that establishes the origin of information or determines an entity’s identity.

These controls also require the implementation and use of multi-factor authentication (MFA) for network and local access to privileged and non-privileged accounts.

Access Control (AC)

The 22 controls making up this family provide security guidance with a focus on access control-based policies and procedures, remote access, access control lists (ACL), etc. helping to ensure access to physical and computer-based information systems are restricted to authorized individuals only.

Access control is a system which enables an authority to control access to areas and resources in a given physical facility or computer-based information system.

Audit and Accountability (AU)

The purpose of this set of 14 controls is to have the organization identify, audit, track and report on particular events that could be a security risk.

  • Audit: Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures.

  • Accountability: The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity.

System and Information Integrity (SI)

Some of the purposes behind the 12 controls within the System and Information Integrity control family are to identify, report and correct flaws in code including:

  • Proper error handling

  • Protection from malicious code such as viruses, Trojans, and spyware

  • Monitoring of systems

  • Reception and reaction to internal and external security alerts

  • Detection of unauthorized changes to data and software

  • Protection from spam and predicting and preventing the failure of systems.

Get FISMA compliant with UserLock and FileAudit

UserLock and FileAudit are efficient software solutions to implement FISMA/NIST compliance for these four key NIST 800-53 control families.

Identification & authentication: Building on your existing Active Directory, UserLock helps organizations identify and authenticate with easy-to-use MFA. Combined with single sign-on (SSO), UserLock enables secure and frictionless access to both network and cloud resources.

Access control: UserLock offers comprehensive access management including user logon restrictions, and the ability to monitor, alert and respond on session activity throughout the corporate Windows network.

Audit and accountability: UserLock offers the ability to audit and report on access events across the network.

System and information integrity: FileAudit makes it easy to monitor and audit access to sensitive files stored on Windows systems or the cloud in real time. It also allows you to set up alerts and automated responses to data changes, and report and track NTFS permissions, permission changes and properties.

Of course, this overview vastly simplifies the complexities and nuances of cyber security. But as a quick reference, we hope you find it helpful.