What are FISMA and FedRAMP?

By Chris Wiedemann, consultant

Whether you’re a veteran of federal IT sales or a complete newcomer to the space, there’s one recurring theme you’ve probably noticed in the way our customers talk to industry: regardless of their mission or program, they all mention cybersecurity as a critical part of their job.

Given the sheer number of incidents and the size and scope of federal networks, not to mention the often sensitive information they contain, the focus on security makes business sense. However, as is often the case with government, there’s an extra factor to their behavior – they’re required by law to secure federal networks. One law in particular – the Federal Information Security Management Act (FISMA) – plays a critical role in determining how agencies need to secure their environments.

Originally passed in 2002, FISMA essentially requires agencies to keep a current inventory of their IT systems, define risk tolerance and impact risk levels for each system, and maintain a set of security controls based on that risk assessment. Those controls are determined by the National Institute of Standards and Technology (NIST) at the Commerce Department, and are collectively published in a document called Special Publication 800-53 (which you can read here). Note that while SP 800-53 is obviously critical to cybersecurity vendors looking to capture business, it’s equally important to anyone else who wants to sell technology to government – if your software doesn’t meet the controls laid out in the document, it’s going to be tough to install it in a federal environment.

Controls aren’t the only way that FISMA has created cybersecurity requirements in government. While the original bill required agencies to give an annual report on their security posture to the Office of Management and Budget (OMB), the FISMA Modernization Act of 2014 put much more authority in the hands of the Department of Homeland Security to protect non-national security networks. DHS uses that authority to manage the Continuous Diagnostics and Mitigation (CDM) program, which has been a key insertion vehicle for cybersecurity vendors into government (and, incidentally, an area where immixGroup can help connect you to the right partners to find business).

While FISMA was intended to be a comprehensive exercise in protecting federal technology environments, it was written before the advent of cloud – and struggled to keep up with off-premises technology deployments. That realization led to the creation of the Federal Risk Authorization Management Program, better known as FedRAMP. Although it is administered by the General Services Administration, FedRAMP is a government-wide certification program that translates NIST 800-53 security controls into the cloud. Essentially, if you’re looking to work with government in any kind of service-based engagement, a FedRAMP certification is a must. You can read more about the program here.

Much more could be written about cybersecurity requirements in government, but the above should give you a good starting point to learn more. Be sure to look out for more posts in my “What is…?” series here, and check out my next class on Fundamentals of Selling IT to the Federal Government coming up on June 22 in McLean, VA.