FISMA Assessment Services

feature

FISMA Assessment Services

Engaging in business or exploring opportunities that necessitate compliance with the Federal Information Security Management Act (FISMA)? Navigating the intricacies of a FISMA authorization can be challenging, especially given the varied interpretations of requirements across different agencies.

TruTek team members offer guidance and independent assessments of your IT service offering. With experience in implementing FISMA requirements dating back to the law's enactment in 2002, we can assist you in navigating the process.

Gap Analysis

The initial step in preparing for a FISMA assessment involves conducting a gap assessment to identify your current state of readiness to meet the stringent requirements. This gap assessment covers various topics, including:

  • Overview of FISMA requirements
  • Review of each security control at the defined categorization level, assessing the level of implementation based on interviews
  • Explanation of the intent of each control and clarification on supporting evidence required during the assessment
  • A quick evaluation of overall readiness for FISMA

Program Development

Preparing for FISMA is a substantial endeavor. If you haven't undergone a regulatory compliance assessment before, developing the necessary documentation for assessors may take time. TruTek team members are well-versed in FISMA requirements across different agencies and can support you in this development activity.

Our support includes:

  • Obtaining agency-specific templates
  • Validating FIPS 199 security categorization level
  • Developing the FISMA security package, comprising items such as:
  • System Security Plan
  • Contingency Plan
  • Configuration Management Plan
  • Incident Response Plan
  • Privacy Impact Assessment
  • Boundary validation as part of documentation development
  • Full program development to ensure the IT service offering is prepared for assessment and authorization

Security Assessment

An independent assessment is crucial to validate the security posture of the IT service. This can be conducted by the agency itself or through an independent third-party. The assessment includes:

  • Security control review based on the in-scope controls from NIST SP 800-53.
  • Vulnerability scanning of operating systems and databases
  • Penetration testing for FISMA High systems
  • Documenting the results of all testing activities in a Security Assessment Report (SAR), with appropriate risk levels assigned to identified weaknesses
  • Providing recommendations to the authorization official on the next steps.

Continuous Monitoring

Securing a FISMA authorization is the initial step, but its sustained upkeep demands ongoing assistance. Agencies implement continuous monitoring in diverse ways, whether handling it internally or entrusting it entirely to the service provider.

This involves periodic spot checks, as specified by the federal agency, to guarantee the enduring robustness of the security posture. Retesting is mandated at least every three years, though certain situations may necessitate annual reassessment. The incorporation of automation proves instrumental in affirming the consistent and proper maintenance of the security posture over time.