FIPS 199 and FISMAAn audit of your security program to determine FISMA compliance
FRSecure performs a full array of information security assessments and audits including FISMA, ISO Certification, NERC/FERC, FDA, SEC, FINRA, SOX, and more. If you’re looking for an assessment, we’ve likely done it before, and are happy to discuss your needs with you. Call us today.
Need help with NIST SP 800-171?
If you are a non-federal organization that operates and maintains systems storing, processing or transmitting Controlled Unclassified Information (CUI), the federal government’s security requirements outlined in the National Institute of Standards and Technology — NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations — affects you. Failure to comply may affect new and current federal and Department of Defense (DoD) contracts.
As your expert security partner, FRSecure can provide you with the necessary assessment and consulting services to meet the NIST SP 800-171 and DFARS security requirements. FRSecure offers two gap analysis options to help determine how close your organization and current information security program are to meeting these federal requirements.
What is a FIPS/FISMA Audit
A FISMA assessment or audit is designed to determine areas of compliance and areas requiring remediation to become FISMA compliant. FRSecure assesses the Client’s current information security practices and controls against those listed in National Institute of Standards and Technology (“NIST”) Special Publication 800-53 Revision 3 (“SP800-53 Rev. 3”); “Recommended Security Controls for Federal Information Systems and Organizations”.
This assessment starts with determining the appropriate Federal Information Processing Standard (“FIPS”) Publication 199 Security Assurance Level (“SAL”), and then proceeds through assessing the appropriate security controls.
Why would I want one?
FISMA assessments are most common in government organizations or in organizations that do work for the government. For organizations that fit this description, FISMA compliance is often a requirement.
What is the process for completing the audit?
On a high-level, the FISMA assessment process is comprised of the following steps:
- Determine the appropriate Federal Information Processing Standard (“FIPS”) Publication 199 Security Assurance Level (“SAL”)
- Conduct a FISMA gap analysis to determine areas of compliance and areas requiring remediation to become FISMA compliant
Assess the organization’s current information security practices and controls against those listed in National Institute of Standards and Technology (“NIST”) Special Publication 800-53 Revision 3 (“SP800-53 Rev. 3”); “Recommended Security Controls for Federal Information Systems and Organizations”.
Assess controls in the following areas of information security:
- Access Control
- Awareness and Training
- Audit and Accountability
- Security Assessment and Author
- And many more…
What are the deliverables I should expect?
Deliverables for a FISMA assessment are:
- Executive Report
- The executive report contains a description of the assessment and an executive summary. A high-level summary of compliance and detail is provided on the individual standards including variance information and compliance by common groupings.
- FISMA Analysis Detail Report
- The detail report builds on the contents of the executive report by adding a gap analysis, questions and answers sections. The gap analysis lists each component question where the answers did not meet the required Security Assurance Level (“SAL”). Questions and answers are sorted by rank. Color codes are included to present a better compliance picture for each question.
What does a FIPS 199/FISMA audit cost?
The cost of FISMA audits or assessment are largely determined by the size and complexity of the environment. Because of this, FRSecure strives to determine the best possible approach for our clients to ensure successful completion of the audit in a cost effective way. All you need to do is spend a few minutes on the phone with our team to make sure we are delivering exactly what you need and want.