Risk Management Framework

FISMA was first codified in 2002, and has been updated nearly every year since in order to keep pace with an ever-changing cybersecurity landscape. FISMA compliance is evaluated on different system categorization levels (Low, Moderate, High) as determined by the Standards for Security Categorization of Federal Information and Information Systems (FIPS-199).

Once a system categorization is determined, organizations implement the appropriate controls detailed in NIST 800-53.

The FISMA compliance process is relatively straightforward, but typically it is quite difficult to fully achieve given its level of depth.

1. Inventories - Identifying and organizing all information systems, detailing how they're used, and interconnected.
2. Categorization - All information must be categorized according to the risk level to ensure that information is protected appropriately.
3. System Security Plan (SSP) - This is a well-maintained document that details process and procedures.
4. Controls - NIST 800-53 contains hundreds of security controls that must be implemented and documented.
5. Assessments - Detailed assessments to determine risks to the business/team, business processes, and information systems must be regularly completed.
6. C&A - Once certified as compliant, teams must prepare for annual reviews to ensure ongoing compliance.

‍