Insights > Articles > FISMA 4: New Threats Mean Tighter Controls

FISMA 4: New Threats Mean Tighter Controls

by Paul Rainbow and Adam Teuscher
October 2013

Is your organization positioned to comply with the new FISMA guidance?

The Federal Information Security Management Act was developed in recognition of the significance and reliance the nation places on information systems for both economic and national security viability. The act requires federal agencies and their contractors to develop, document, and implement security controls with the goal of minimizing and mitigating potential risks from unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems to provide integrity, confidentiality, and availability.

In April 2013 the National Institute of Standards and Technology published new guidance concerning FISMA. It was the largest update to the security controls framework since its inception in 2005, and it was developed in recognition of an expanding threat landscape where both the frequency and sophistication of cyberattacks have rendered some controls in previous revisions obsolete or lacking against today’s threats.

The update, the fourth since FISMA’s enactment, adds several new control areas, while existing controls were either removed or expanded on to provide better guidance around the implementation specifications. The new controls address areas such as:

  • Mobile and cloud computing
  • Application security
  • Trustworthiness
  • Assurance
  • Resiliency of information systems
  • Insider threats
  • Supply chain security
  • Advanced persistent threats

FISMA 4 also adds numerous privacy controls based on the internationally accepted Fair Information Practice Principles, designed to “build public trust in the privacy practices of organizations and to help organizations avoid tangible costs and intangible damages from privacy incidents.” With this new focus on current and emerging threats and privacy, the base set of security controls increase from roughly 600 to over 800.

Lastly, the guidance introduces a new concept called “overlays,” which is a way for organizations to tailor or scope out controls as long as appropriate rationale and justification are documented and approved by an authorizing official.

How should your organization comply with the new changes? You can start by downloading the guidance and walking through these four steps:

  1. Remap your current controls to the new guidance to identify control gaps.
  2. Review the adequacy of your current controls against the updated implementation specifications.
  3. Develop a remediation plan describing how your organization plans to implement the new controls—the new guidance provides a tool that can help you prioritize remediation efforts.
  4. Review the guidance to determine whether your organization can use the new overlay system to limit the scope and rigor of the required new controls.

We're Here to Help

GarryMichael continually monitors the regulatory landscape for federal agencies and their contractors. For questions about how your organization can adapt to the new FISMA requirements, contact us today.