When two alpinists approach the same rock wall, they may both have the goal of reaching the summit, but the process they take to get there likely diverges greatly. Maybe one hikes up the backside while the other opts to climb the rock face directly—it likely depends on their individual skills, their gear, etc.
When dealing with government compliance, there’s also a common goal—to do business with America’s federal government. To do that, you’re going to have to prove your environment and offerings are secure one way or another (“hiking” or “climbing”).
There are so many facets to government compliance—including an alphabet soup of acronyms like FISMA, FedRAMP, NIST, FIPS, and CMMC—that it can be difficult to know which path you should take in your desire to sell to the government.
FedRAMP and FISMA both have the same basic goals—to protect government data and reduce information security risk within federal information systems. But the way they each ask organizations to do that is very different.
Having assessed for compliance with both, we often get questions about these differences between FedRAMP and FISMA. So, in this article, we’re going to paint a complete picture—we will establish what each of these federal frameworks is and what they do before highlighting the key differences between them.
You may need to “hike” or you may need to “climb” your way to federal compliance, but after reading this, you’ll know more definitively the distinctions between these paths.
What is FISMA?
The older of these two frameworks, FISMA stands for the Federal Information Security Management Act. Enacted in 2002, it requires all federal agencies to:
- To develop, document, and implement information security programs; and
- To protect the information and the relevant systems that support the operations and assets of the agency.
While yes, this is primarily a law that federal government agencies must follow, the requirements also extend to external (private sector) third parties serving as contractors to those departments.
Within the framework, FISMA’s specific requirements are drawn from multiple documents and standards. If you’d like to provide a service to the federal government, you’ll need to follow three documents to get FISMA compliant:
- Federal Information Procession Standard (FIPS) 199
- This requires you to categorize your systems/services based on the risks they pose. (To do that, you would first need to inventory the systems and information in use.)
- Your systems/services would be either low, moderate, or high impact, depending on what kind of detrimental effect a potential vulnerability or threat to those systems would have on government infrastructure.
- FIPS 200
- Once you’ve been categorized, this document outlines the minimum security control requirements you’ll need to meet (in 17 security-related areas).
- NIST SP 800-53 Rev. 5
- This publication specifically defines the baseline security controls—you’ll select from this list which ones to implement.
What is the FISMA Compliance Process?
Once you’ve done taking stock of the information flowing in your systems and you’ve discerned your risk category, the next steps in obtaining FISMA compliance consist of the following:
- Design Your System Security Plan: Once you’ve designed this, you’ll be obligated to not only keep to it but also ensure that it’s regularly maintained and updated.
- Implement Relevant Security Controls: Of the 18 categories of security controls NIST SP 800-53 contains, you are only required to implement the ones that are relevant to your systems to achieve FISMA compliance.
- Conduct Risk Assessments: Analyze your risk at the organizational level, business-process level, and information system level.
- Get Certified and Accredited: This will require annual reviews of work done in previous steps to maintain compliance.
- Certification involves learning best practices, identifying weaknesses, and making changes to safeguards, whereas accreditation involves implementing the actual FISMA requirements.
Technically, only government agencies can be FISMA compliant, but vendors can seek out independent attestations and gap assessments against the NIST 800-53 requirements that form the backbone of FISMA.
What is FedRAMP?
Let’s move on to FedRAMP, which stands for Federal Risk and Authorization Management Program. Launched in 2011, it’s a centralized security program for cloud providers seeking to do business with the federal government. FedRAMP uses FISMA’s same documentation backbone—you’re asked to categorize your risk before implementing relevant NIST SP 800-53 controls.
To obtain FedRAMP Authority to Operate (ATO), cloud providers must undergo a security assessment performed by a third-party assessment organization (3PAO) to sell government cloud services to a federal agency.
What is the FedRAMP Process?
You cannot begin to provide services until you’ve completed the FedRAMP program, which involves these steps:
- Initiation: You’ll need to decide which of the two approaches will work best for your organization—agency sponsorship or through the Joint Authorization Board—and take the appropriate action to get started.
- The FedRAMP Readiness Assessment can play an important (or even requisite) part in this.
- Assessment: Engage a 3PAO to perform an independent security assessment of your cloud service offering against the requirements of NIST SP 800-53.
- Authorization: Send the completed assessment to the FedRAMP Project Management Office (PMO).
Once the PMO has signed off, the agency you’re working with can also assume the risk you have by issuing you an ATO. (Those who choose to go through the JAB route can obtain Provisional-Authority to Operate from that board, but only agencies can truly give you the green light for your services.)
Key Differences Between FedRAMP & FISMA
Now knowing all that, there are two clear similarities between these two regulations:
- Both FedRAMP and FISMA were developed as a framework for assessing security in order to obtain an Authority to Operate (ATO).
- Both depend on the NIST guidelines.
However, there are several critical differences between them:
- Who is Required to Comply
- FISMA: All federal agencies, departments, and contractors are required to comply with FISMA standards (whether they are service providers or not).
- FedRAMP: Reserved only for third-party cloud service providers who currently do or plan to provide a cloud solution to host federal information.
- Compliance Assessor Type
- FISMA: Any third party capable of conducting an assessment against the NIST SP 800-53 requirements can be used by a federal vendor to gauge compliance.
- FedRAMP: FedRAMP assessments must be performed by a 3PAO.
- Controls and Categories
- FISMA: Leverages NIST SP 800-53 with control parameters defined by the organization providing services to a federal agency.
- FedRAMP: Leverages NIST SP 800-53 with control parameters defined by FedRAMP and includes additional controls required by FedRAMP.
- Compliance Process
- FISMA requires that agency program officials, CIOs, and inspectors conduct annual reviews of the established information security program and report results to the Office of Management and Budget (OBM).
- FedRAMP is a “do once, use many times” framework for the assessment of cloud products and services. As such, it’s a far more stringent authorization process that may require work with a consultant before engaging your 3PAO
Learning More About Federal Compliance
The American government is the largest single creator, collector, consumer, and circulator of information in the country. Even if you’re not currently doing business with them, there’s a good chance any policy changes at this level will trickle down to the commercial sector.
As such, it’s good to understand the different security regulations in play, and now you know a little more about two of the big ones in FISMA and FedRAMP, including what makes up the backbone of their security requirements.
To continue learning about how the government approaches cybersecurity and how it may affect you, check out our other content that sheds light on different aspects:
About JORDAN HICKS
Jordan Hicks is the Manager of Content at Schellman. As the owner of content marketing initiatives across all digital platforms and formats, she is responsible for the ideation of content, the authoring and development of the content, as well as developing and managing the editorial calendar to ensure the marketing goals are met as it relates to content.