For most companies, adhering to regulations and industry standards is a requirement for doing business — one that entails collecting, storing, processing or maintaining sensitive data to ensure security. Failure to comply can cost thousands of dollars in penalties and fines, not to mention result in brand damage.
If your company operates an information system for a federal government agency, you must comply with the Federal Information Security Management Act (FISMA). FISMA is a U.S. law that establishes a framework for managing information security that must be implemented for all information systems used or operated by a U.S. federal government agency in the executive or legislative branches, or by a contractor or other organization on behalf of a federal agency in those branches. Compliance with FISMA and other government mandates and guidelines can be difficult for companies that don’t have technical resources or on-staff expertise.
At Peak 10, the investments we make to ensure the security and availability of our data centers take some of the pressure off of our customers, and can help them achieve and maintain FISMA compliance.
Based in Sellersberg, Indiana, Peak 10 customer Rivera Consulting Group, helps large government agencies achieve compliance, security and accreditation of their systems to meet the requirements of FISMA. We asked Rivera’s director of operations, Aaron Wilson, for his take on FISMA compliance.
FISMA Compliance: A Firsthand Look from Rivera Consulting Group
For our business, FISMA compliance means we need a reliable, secure and compliant infrastructure, and the ability to effectively monitor, document and report on processes and activity so that maintaining that compliance isn’t a headache. Peak 10’s audit-ready facilities, combined with its compliance and security program, make FISMA a lot easier to tackle for us.
For true FISMA compliance, we recommend that our customers focus on three critical steps:
- Assess – Based on the availability, integrity and confidentiality of the data within a system, FISMA categorizes systems as a low, medium or high level. When looking at a system, we first assess any changes that may have affected its categorization. We have had customers operating systems at a high level that should have been categorized as low level. If you over-categorize your system, you put yourself at risk of spending more money than necessary. Assessing these categories is a solid starting point for FISMA compliance, as is documenting practices and assessing their effectiveness for constant process improvement.
- Document – We recommend documenting any changes to a system, such as tickets or patches. A change to one part of the system may have a ripple affect on other dependent systems and, in turn, on FISMA compliance. FISMA requires a process for planning, implementing, evaluating and documenting remedial action to address any deficiencies. Systems also must go through a re-accreditation every three years. To do this most efficiently, companies must document any system changes, have a good repository for storing that information and update it regularly.
- Monitor – Continuous monitoring is a critical part of the FISMA risk management process and the way to maintain an acceptable level of risk, despite any changes that occur. Timely, relevant and accurate information is vital for maintaining an ongoing awareness of information security, vulnerabilities and threats to support risk management. A lot of of people think of continuous monitoring as the day-to-day or even hourly level activities such as monitoring the firewall for suspicious activity or rejecting certain types of calls to the ports and servers. However, it really comes down to the ability to ensure the continuity of operations across a system. As an example, last year a patch was issued for an SSL vulnerability called Poodle. We were able to quickly reconfigure any affected systems so it was no longer a concern. Inaction on those types of vulnerabilities can lead to problems. If you aren’t vigilant on making changes, it opens you up to being hacked.
Easing the Burden
The requirements for FISMA compliance can be challenging but transferring some of that burden to a partner like Peak 10 can be a welcome relief. Since inception, Peak 10 has proactively implemented the necessary safeguards within our data centers to assist customers like the Rivera Consulting Group in cost-effectively meeting a wide range of regulatory compliance requirements. Our compliance program is designed to help companies comply with FISMA, as well as HIPAA, PCI DSS, ITAR and other regulatory requirements.