A Complete Step-By-Step Guide to Getting FISMA Certified

Introduced by the U.S. government in 2022, the Federal Information Security Management Act  (FISMA) aims to protect information security, focusing on “risk-based policy for cost-effective security.” 

If you are a federal agency, contractor, or subcontractor looking to be FISMA certified, understanding the process is essential. The official guideline is a lengthy piece of legal jargon that may be overwhelming and complicated. If you want a simplified, quick, and easy-to-understand version, keep reading.

In this article, we discuss who should be certified, explore the differences between certification and accreditation, discuss FISMA certification requirements, discuss the step-by-step process, and share tips on how to fast-track the process. By the end of it, you’ll be a FISMA specialist!

What is FISMA certification? How does it differ from an accreditation?

While certification builds the groundwork for the accreditation process, the two are distinctively different. Understanding these differences is critical if you are looking to become FISMA compliant.

FISMA Security certification is a supporting activity that aids authorizing officials with the relevant data required to make informed, risk-based decisions on implementing security controls. 

These decisions are based on the result of evaluating the effectiveness of security controls. As FISMA stresses on the importance of understanding the concepts and processes in depth, the. 

Security accreditation is a continuous process of managing risks posed by the operation of information systems. The authorizing officials are responsible for determining the right action to manage risks — accept, reject, transfer, or mitigate. 

Given that changes in the information system can impact operations, assets, and individuals, the need for a structured process to continuously monitor the effectiveness of controls is critical.

Who should be FISMA certified?

FISMA applies to federal government agencies in the United States and a wide range of companies that cater to them, such as: 

• Third-party service providers 
• Contractors/subcontractors/agencies 
• Any vendors who operate on your behalf
• Local or state governments managing federal programs like student loans

According to FISMA, a federal information system refers to any information system that the companies mentioned above use or operate. If you qualify as either of these, you must protect information systems that support or process sensitive information and assets of the agency. Private companies who work for such agencies should also be compliant. 

FISMA compliance requirements

Before we delve into the certification process in detail, let’s understand what the FISMA requirements entail on a high level. You may refer to the complete guide to understand these steps in detail. 

• Develop and maintain an inventory of applications and system processing PII
• Categorize your system data into national security and non national security systems 
• Implement security controls based on the level of risk
• Conduct a risk assessment to evaluate the effectiveness of the implemented controls
• Develop a system security plan consisting of plan of action and risk assessment
• Get certified and accredited – explained in detail in this article 
• Continuously monitor your controls 

What are the five levels of reporting in FISMA?

FISMA requires the Inspector General (IG) or independent external auditor to evaluate the effectiveness of their agency’s information security system. The reporting metrics had to be structured in a format developed by NIST to guide them assess the maturity of the controls:

Maturity level	Description of maturity level
Level 1: Ad Hoc	Policies, procedures, and strategies lack formalization; activities occur in an ad-hoc, reactive way.
Level 2: Defined	Formalized and documented policies, procedures, and strategies exist, but implementation is inconsistent.
Level 3: Consistently Implemented	Policies, procedures, and strategies are consistently implemented, though measures of effectiveness are not systematically tracked.
Level 4: Managed and Measurable	The organization collects quantitative and qualitative measures to assess the effectiveness of policies, procedures, and strategies, using the data to make improvements.
Level 5: Optimized	Policies, procedures, and strategies are fully integrated, repeatable, self-sustaining, and regularly updated to reflect evolving threats, technologies, and business needs.

FISMA certification and accreditation phases

The FISMA certification and accreditation process is divided into four stages:

1. Initiation phase
2. Security Certification phase
3. Security Accreditation phase
4. Continuous Monitoring phase

Each stage is further divided into tasks and subtasks. Each has to be carried out by specific roles or designated officers, such as the Chief Information Officer, information system owner, certification agent, and more. Let’s explore each in detail.

Note: FISMA refers to multiple guidelines from publications like NIST 800 53, NIST 171, FIPS 199, OMB Circular A-130, NIST 800 34, NIST 800 47, NIST 800 50, NIST 800 26, NIST 800 53A, and more. 

1. Initiation phase

The initial phase helps ensure the authorizing official and senior agency information security officer are on the same page regarding the system security plan. 

The substages of this phase are: 

• Preparation
• Notification and resource identification
• System security plan analysis, update, and acceptance

1.1. Preparation

The preparation sub-phase aims to review the plan to ensure its consistency with the initial risk assessment. It consists of:

• Describe information systems: The objective is to describe and document the components of the information system in the security plan. System descriptions generally include its name, unique identifier, status based on the SDLC, functional requirements, security architecture, information flows, applicable laws, etc.
• Categorize systems: Evaluate whether your information system falls within the definition of national security using NIST 800-59. If not, refer to FIPS 199, which details three levels of impact (low, moderate, high) for the security objectives (confidentiality, integrity, availability) to secure federal information systems. 
• Identify threats: Identify potential threats that can impact your security objectives. The source of these threats can be natural, human, or environmental. You can set a baseline of commonly recognized threats across the complex systems of platforms and technologies. FISMA suggests documenting the threat information in the risk assessment or system security plan for reference purposes. 
• Identify vulnerabilities: System vulnerabilities refer to security gaps or weaknesses in the information system that malicious actors can exploit. Depending on the stage, you can run a vulnerability analysis at any point in the system development life cycle. For example, during the development phase, look for potential lapses in defining security policies, processes, and system requirements. 

You can use questionnaires, interviews, document reviews, and automated scanning tools. 

Risk assessment documents, audit reports, system anomaly results, VAPT reports, vendor or security advisories, hardware or software analysis, and more are common resources to identify vulnerabilities. 

• Identify security controls: Security controls are the safeguards that protect the information systems. These predefined controls are commensurate with the FIPS 199 categories and identified during the communication process involving the senior agency infosec officer, authorizing roles, system owners, and information system officer. 

Agencies should adjust the baseline set of controls based on the threats and vulnerabilities identified during the risk assessment and the risk tolerance level. These adjustments should be documented in the security plan. 

• Determine initial risks: FISMA requires you to conduct a risk assessment to determine the most cost-effective way to secure information systems. The ongoing assessment process should factor in system vulnerabilities, the level of impact in case of an incident, and the effectiveness of the selected security controls.

This should be a continuous activity to identify and address new threats using adequate controls. 

1.2. Notification and resource identification

This activity aims to communicate with the concerned officials regarding the pending certification and accreditation, allocate resources, and strategize its implementation.

• Notify: Notify the critical agency officials about starting the accreditation and certification process and preparing them for the activities. 
• Plan and allocate resources: Determine the level of effort required for certification. This is based on four factors – your system’s complexity, the system category as per FIPS 199, the selected controls, and the methods you have used to determine the effectiveness of the security controls. 

Next, identify and allocate resources to prepare for the certification activities. A certification agent executes the certification plan and has it approved by the relevant authorities. 

1.3. System security plan analysis, update, and acceptance

The goal of this activity is to independently review the security categorization, analyze the plan, update it based on the analysis, and get it approved by relevant authorities.

• Review security categories: Refer to the FIPS 199 categorization to evaluate the effectiveness of the security controls. This helps assess their effectiveness and gaps in implementation and align them with your organization’s objectives. 
• Analyze system security plan: The authorizing officials review the security plan to check if it meets the requirements of the information system document. Next, they determine how much can be analyzed based on the risk assessment and document information. Once reviewed, they recommend changes based on the result. 
• Update system security plan: The system information owner reviews the recommendations of the authorizing officials before implementing them. 
• Accept the security plan: Review the agency-level risk described in the security plan to determine if it is acceptable. 

If yes, the authorizing officials accept and initiate the next action: assessing the security controls. If the plan is unacceptable, it is sent to the system owner for further review and action. 

2. Security certification phase

The security certification phase helps evaluate security controls’ operational effectiveness and address system vulnerabilities. Here, the authorizing officials determine the risks to assets, individuals, and operations. 

It consists of two parts: 

• Security control assessment
• Security certification documentation

2.1. Security control assessment

The security control assessment step helps prepare for, conduct, and document the assessment results. 

• Document: The system owner and certification agent will gather evidence such as implementation reports, logs, and records. They will reuse historical evaluation data and assessment results to optimize cost and time.  
• Method: Refer to NIST 800 53A to assess the controls using standardized processes. 
• Assess security: Evaluate the effectiveness of security controls and document the assessment results with corrective actions.
• Prepare the assessment report: The certification agent prepares the report containing the assessment results and recommendations to patch the gaps. This report is a statement of the information system’s current posture. 

2.2. Security certification documentation

Now that the assessment report is ready, share it with the system owner, update the plan as required, prepare the actionable, and create the accreditation package. 

• Implement recommendations: The certification agent offers the expertise and technical judgment to assess the control and recommend corrective actions to address the vulnerabilities. The system owner can implement the recommendations before finalizing the package. 
• System security plan update: Update the systems security plan to reflect the actual status of the implemented controls and vulnerabilities. 
• Prepare for milestones: This document identifies the pending tasks, resource requirements, delivery dates, and milestones. 
• Accreditation package: The system owner compiles the final accreditation package, which contains the assessment report, plans of action, and an updated security plan. The system owner consults the certification agent and other key stakeholders for their unbiased review before finally submitting it in paper or electronic format. 

3. Security accreditation phase

The accreditation phase aims to evaluate if the risk posed by the identified vulnerabilities is acceptable. Once completed, the system owner can operate within specific terms or be denied to operate. It consists of: 

• Security accreditation decision
• Security accreditation documentation 

3.1. Security accreditation decision

The authorizing official independently affirms the system vulnerabilities and lists corrective actions using input from the system owner, security officer, and certification agent. 

• Determine risks: The authorizing official reviews the final package and assesses the vulnerabilities’ impact to determine which pose high risk and which can be tolerated. 
• Accept risks: After evaluating the certification results, the authorizing official will issue permission to operate without restrictions. 

If the risk level is unacceptable but an urgency exists to operate the system, the official issues an interim authorization. This does not accredit the information system – the system owner has to submit a detailed plan of action to start the operations under specific terms and conditions. 

If the agency-level risk is unacceptable, the information system will not be accredited or authorized to operate. 

3.2. Security accreditation documentation 

This is the final stage of the FISMA certification and accreditation process, during which the package is handed over to the right individuals, and the plan is updated with the latest information. 

• Transmit the accreditation package: A copy of the final accreditation decision is shared with the system owner. This package should be retained and shared with auditors and oversight agencies on request…
• Security plan update: Continuously update the security plan to reflect changes in the information system. Do not make major changes at this phase. 

4. Continuous monitoring phase

The goal of this phase is to monitor and track the status of security controls while keeping the authorizing officials in the loop. As the name suggests, it is an ongoing process throughout the information system life cycle. This phase consists of:

• Configuration management and control
• Security control monitoring
• Status reporting and documentation

4.1. Configuration management and control

As information systems are continuously updated, it is critical to document these changes and analyze their impact level. This helps you maintain your security accreditation. 

• Document system changes: Record suggested and implemented changes in the system software, hardware, and firmware. Examples include version release numbers, descriptions of new features, modifications to the physical environment, and more. This information helps assess the impact of changes to the information system. Avoid making major changes before assessing the security impact of changes. 
• Analyze security impact: Implementing new changes can introduce vulnerabilities. If the impact analysis shows that the suggested changes may affect the system security, the corrective actions should be planned, and the plan of action should be revised.

4.2. Security control monitoring

Control monitoring in real-time helps to identify gaps in the security controls overlooked during the impact analysis. 

• Security control selection: The criteria for selecting controls to monitor should align with the priorities of the agency’s information system. If a set of controls is more critical due to its impact, monitor it more frequently than the less critical ones. 
• Security control assessment: Information system owners should develop the methods and processes for continuous control monitoring using NIST 800-53A as guidance. They should document these processes and implement corrective actions if the controls fail to meet the desired level of effectiveness.

4.3. Status reporting and documentation

The status reporting activity seeks to update the actual changes in the information systems, update the monitoring activities in the monitoring phase, and report the information system status to relevant officers. 

• Security plan update: Update the system security plan as often as needed with information system data to reflect its latest status. This activity is critical to enabling the responsible officers to make security and accreditation decisions. 
• Milestone update: The plan of action and milestones should contain the progress of the planned activities, address the vulnerabilities identified during the impact analysis, and detail the plan to address them. 
• Status reporting: Describe your monitoring activities, status of vulnerabilities, security impact analysis, and the plan to address the gaps. This report evaluates the need for re-accreditation and should be updated at an appropriate frequency. 

The cost of FISMA violations: repercussion for your business 

FISMA is a compulsory requirement for federal agencies to continue their partnership with government agencies. Based on your audit result, if the potential impact of information loss is deemed severe, this means loss or termination of the contract. FISMA is the gateway to work — when you don’t pass the audit, you don’t get work. 

Unlike frameworks like GDPR or HIPAA, there are regulatory fines. In simpler terms, a low score for a government agency results in a loss of work. If a partner or a private business fails to comply, the penalty is loss of federal funding or contractual agreement. 

Manage FISMA requirements with Sprinto

Compliance frameworks are stringent, primarily if the requirements stem from federal government regulations. Failure to meet the essential requirements and minimum level of protection can result in loss of contract. 

FISMA demands continuous control visibility, pushing organizations to move beyond manual compliance methods to automated and digitized solutions. Sprinto simplifies this shift by offering streamlined workflows for multiple frameworks like NIST, ISO 27001, FedRAMP, and custom frameworks, including FISMA.

With the Bring Your Own Framework (BYOF) feature, you can easily import FISMA controls onto Sprinto’s dashboard and activate automated compliance checks. You can also reduce workload by leveraging control overlap and reusing efforts from frameworks like NIST. 

Sprinto expands compliance programs through automated evidence collection, security policy templates, training modules, and role-based access controls.

Sprinto helps you successfully implement all the requirements. It continuously monitors your controls, conducts risk assessments, and notifies your team of any instances of non-compliance. It automatically collects evidence of your corrective actions, identifies vulnerabilities, implements custom policies, and suggests patches. 

Get a cost-effective security program now. Talk to our experts. 

FAQs

What are the FISMA requirements for staying compliant?

To meet FISMA’s compliance requirements, conduct a system risk categorization to understand your current level of security, implement the baseline security controls outlined in NIST 800 53, document the controls and compliance effort as per FIPS 199, conduct annual security reviews, and implement continuous monitoring to identify security risks and avoid compliance violations. 

What are the impact levels according to FIPS 199?

Federal systems have three risk levels: low (limited adverse effect on operations, assets, or individuals), medium (significant or serious damage to operations, assets, or individuals), and high (severe or major damage, loss of assets, or potential loss of life). The risk level essentially refers to the impact on the system if there is a breach. 

What is the difference between FISMA and FedRAMP?

FISMA is a law that governs information security management across federal agencies. In contrast, FedRAMP is a specific program that focuses on ensuring the security of cloud products and services used by federal agencies. 

What are the five levels of FISMA?

FISMA has five maturity levels: Ad Hoc, Defined, Consistently Implemented, Managed and Measurable, and Optimized.