FISMA Audit & FIPS 199 Assessments
NIST SP 800-171 and Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 Compliance Services
Need help with NIST SP 800-171?
The federal government outlined security requirements in the National Institute of Standards and Technology NIST Special Publication 800-171 for protecting controlled unclassified information in nonfederal information systems and organizations. All non-federal organizations that operate and maintain systems storing, processing, and transmitting Controlled Unclassified Information have to follow this (CUI) guideline. Failure to comply may affect new and current federal and Department of Defense (DoD) contracts.
As your expert security partner, C’S|3 security consultants can provide you with the necessary assessment and consulting services to meet the NIST SP 800-171 and DFARS security requirements. C’S|3 offers two-gap analysis options to help determine how close your organization and current information security program are to meeting these federal requirements.
What is a FIPS 199/FISMA Audit?
FISMA 2014 codifies the Department of Homeland Security’s role in administering the implementation of information security policies for Federal Executive Branch civilian agencies, overseeing agencies compliance with those policies, and assisting OMB in developing those policies.
The legislation provides the Department authority to develop and oversee the implementation of binding operational directives to other agencies, in coordination and consistent with OMB policies and practices. It also:
- Authorizes DHS to provide operational and technical assistance to other Federal Executive Branch civilian agencies at the agency’s request;
- Places the federal information security incident center (a function fulfilled by US-CERT within DHS by law;
- Authorizes DHS technology deployments to other agencies� networks (upon those agencies� request);
- Directs OMB to revise policies regarding notification of individuals affected by federal agency data breaches;
- Requires agencies to report major information security incidents as well as data breaches to Congress as they occur and annually; and
- Simplifies existing FISMA reporting to eliminate inefficient or wasteful reporting while adding new reporting requirements for major information security incidents.
A FISMA assessment or audit is designed to determine areas of compliance and areas requiring remediation to become FISMA compliant. C’S|3 assesses the Client�s current information security practices and controls against those listed in National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 3 (SP800-53 Rev. 3); These recommended Security Controls are comprehensive guidelines for Federal Information Systems and Organizations. This assessment starts with determining the appropriate Federal Information Processing Standard (FIPS) Publication 199 Security Assurance Level (SAL), and then proceeds through assessing the appropriate security controls.
Why would I want a FIPS 199/FISMA Audit?
FISMA audits or assessments are most common in government organizations or in organizations that do work for the government. For organizations that fit this description, FISMA compliance is often a requirement.
What is the process for completing a FIPS 199/FISMA Audit?
C�S |3 Consultants help with the FISMA audit process which is comprised of the following steps:
- Determine the appropriate Federal Information Processing Standard (FIPS) Publication 199 Security Assurance Level (SAL)
- Conduct a FISMA gap analysis to determine areas of compliance and areas requiring remediation to become FISMA compliant
Assess the organization�s current information security practices and controls against those listed in National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 3 (SP800-53 Rev. 3); Recommended Security Controls for Federal Information Systems and Organizations.
Assess controls in the following areas of information security:
- Access Control
- Awareness and Training
- Audit and Accountability
- Security Assessment and Author
What are the deliverables for a FIPS 199/FISMA Audit?
Deliverables for a FISMA audit are:
- Executive Report
- The executive report contains a description of the assessment and an executive summary. A high-level summary of compliance and detail is provided on the individual standards including variance information and compliance by common groupings.
- FISMA Analysis Detail Report
- The detail report builds on the contents of the executive report by adding a gap analysis, questions and answers sections. The gap analysis lists each component question where the answers did not meet the required Security Assurance Level (“SAL”). Questions and answers are sorted by rank. Color codes are included to present a better compliance picture for each question.
What does a FIPS 199/FISMA Audit cost?
The cost of FISMA audits or assessments is largely determined by the size and complexity of your current environment and taking into account the historical context of your business workflow processes and the impact of current and legacy systems. Because of this, C�S|3 strives to determine the best possible approach for our clients to ensure the successful completion of the audit in a cost-effective way. All you need to do is spend a few minutes on the phone or online meeting call with our team to make sure we are delivering exactly what you need and want.
What FIPS 199/FISMA Audit options are there?
C’S|3 provides two options for a FISMA audit.
Option 1 Full Information Security Assessment with Gap Analysis
Our Full Information Security Assessment leverages and references current security frameworks and standards found in ISO/IEC 27001:2013 and the NIST Cybersecurity Framework (CSF), both of which map to the NIST SP 800-171 security requirements.
The four phases of a full information security assessment are:
- Phase 1:Administrative Controls The people part of security, including risk management, security governance, policies, standards, training, and employee awareness.
- Phase 2:Physical Controls How much does your anti-virus protection mean to you if someone steals your server? Physical controls are an essential and often overlooked part of your security strategy.
- Phase 3: Technical Controls (Internal) We affectionately call this the gooey center. Most organizations do a pretty good job at securing the technical perimeter (firewalls, intrusion detection, etc.), but sometimes neglect the controls that are essential for an effective defense-in-depth strategy.
- Phase 4:Technical Controls (External) This category covers how effective your organization is at keeping the bad guys out of your network.
C’S|3 Consultants map relevant NIST controls and provide a gap analysis for the full information security assessment.
Your organization will receive all our standard full information security assessment deliverables, which include the executive summary, the full report, and the action plan. You will also receive an additional report that will map the full information security assessment result to the NIST 800-171 controls. The gap analysis and the full information security assessment action plan can be used to build your remediation plan. This option provides both an overall security assessment against industry best practices and the information needed to begin addressing gaps in your CUI protection measures.
Option 2 Gap Analysis
Your other option is a more narrowly scoped assessment of how well your Information Security Program meets the security requirements outlined in the NIST 800-171 controls. Your organization will receive a report displaying each control and your level of compliance with that control. While this option will get you a final gap analysis to build your remediation plan from, it does not assess your full information security program against industry best practices.
With a completed NIST SP 800-171 gap analysis, C’S|3 Consultants can help your organization develop a System Security Plan (SSP), Plan of Action & Milestones (POA&M), and help remediate gaps in policy, process, and/or training. Our security expert team has proven experience in establishing effective, measurable, and enforceable organizational controls in support of DoD, federal, financial, and healthcare compliance frameworks.