Every year, the federal government conducts hundreds of audits of agencies to make sure they are in compliance with FISMA. The audit is a process to review an organization’s compliance with the Federal Information Security Management Act. An audit assesses the policies, procedures, and overall effectiveness of information security management practices at an organization. The goal of an audit is to provide assurance that the policies are in place and being followed so as to reduce risks to IT assets. This article will explore what FISMA is, why it is there, and what they are looking for.
- What is the purpose of conducting an audit with FISMA?
- What is the FISMA audit process?
- What is FISMA compliance?
- What are the benefits of an audit with FISMA?
- What are the regulatory requirements for conducting an audit?
- What is the goal of an audit?
- What laws/policies/regulations govern the audits?
- Who can perform the audit?
- What are the requirements of an audit?
- What are the results of an audit?
- What does a FISMA report contain in security controls?
- What is a FISMA remediation plan?
- Caveats, disclaimers, federal agencies & the federal government
What is the purpose of conducting an audit with FISMA?
The main reason to conduct an audit is to ensure that an organization is complying with applicable laws, directives, policies, and standards related to information security and risk management. It’s also used as part of the process to obtain an agency-wide authority to operate. It is also an important part of an ESG audit which quantifies the sustainability of your business.
What is the FISMA audit process?
An audit is one that evaluates an organization for compliance with standards or guidelines set by a country’s laws. For example, with regard to the security of information systems and networks, FISMA and its compliance requirements apply to federal agencies in the United States. The law requires all U.S. federal agencies, regardless of size or location, to have a formal information security program defined in writing. In other words, each agency must practice the documented procedures specifically designated for their organization’s computer network security system. This compliance should include risk assessment, vulnerability scanning, penetration testing, and other security measures.
The audit process begins with the scoping or selection of systems to be audited. The next step is the identification of risks and vulnerabilities associated with these systems. This is followed by an evaluation of the controls in place to mitigate these risks. The final step is to monitor the performance of these controls to ensure continued compliance.
What is FISMA compliance?
There is a federal law that requires government agencies, as well as those who manage them, to conduct periodic assessments of the risks and vulnerabilities associated with data security on their systems. These audits are also known as security certifications or system certifications. A comprehensive audit may include risk assessment, vulnerability scanning, penetration testing, configuration management, logging, and auditing review; it can be completed by an internal IT auditor or outsourced to external third-party firms. The process has many benefits for both the agency involved in the audit and any company providing services related to these audits.
An audit will help you assess your risk exposure before it becomes a problem; identify potential vulnerabilities in your systems; ensure compliance with
What are the benefits of an audit with FISMA?
There are many benefits for business leaders who undergo this type of assessment including improved IT operations; reduced risk; increased customer satisfaction; increased employee productivity; and increased shareholder value. Also, regular audits will:
- Identify Areas for Improvement – An audit will help identify areas where security controls need to be strengthened or reviewed. This includes vulnerabilities in your current system and data protection practices.
- Compliance with Regulations – Completing an audit is one of the requirements for compliance with federal regulations such as IDEA and HIPAA.
- Protect Sensitive Data – An audit will help ensure that sensitive data is being properly protected from unauthorized access, use, disclosure, or destruction.
- Identify Risks to Data – An audit helps highlight areas where data security can be breached. This allows IT leaders to assess how important these systems are in the organization and what needs to be done to prevent unauthorized access, use, disclosure, modification, or destruction.
- FISMA Training – An audit will also help determine what training is required to achieve and maintain compliance with applicable laws, directives, policies, and standards.
What are the regulatory requirements for conducting an audit?
FISMA requires federal agencies to implement policies and procedures to prevent unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems. Each agency must develop an organization-wide plan for providing adequate information security for the information and information systems that support its operations and assets. The plan must be in compliance with applicable federal laws, directives, policies, standards, and guidelines.
The most renowned of these is NIST 800-53 which provides a detailed description of each control requirement within three security objectives: confidentiality, integrity, and availability. FISMA also requires federal agencies to conduct self-assessments at least once every year. These systems should be maintained for their entire life cycle and updated as the network changes.
FISMA mandates that all information within government agencies be handled in accordance with applicable laws, directives, policies, standards, and guidelines. This applies to personally identifiable information (PII) as well. In order to ensure this is done, agencies must complete an audit at least once every three years.
What is the goal of an audit?
The goal of an audit is to identify and assess an organization’s compliance with laws and regulations related to information security. The audit will also help IT leaders better understand how employees are using PII and other sensitive information.
What laws/policies/regulations govern the audits?
There are three key pieces of legislation related to FISMA that require regular assessment: the Federal Information Security Management Act (FISMA), the Identity Theft Enforcement and Restitution Act of 2008 (IDEA), and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). FISMA is the law that governs how federal agencies manage information security risks to systems and data under their control. IDEA is the law that governs the privacy and security of PII. HIPAA is the law that sets national standards for electronic healthcare transactions.
Who can perform the audit?
FISMA audits must be performed by designated auditors who have the authority and expertise necessary to conduct an independent assessment of management’s assertions. The scope of what they can assess is defined in NIST 800-53.
An audit must be performed at least once every three years and meet all of these 3 standards…
What are the requirements of an audit?
An audit must be performed at least once every three years and meet all of these standards:
- Heightened Awareness – The auditor should be knowledgeable in laws, directives, policies, standards, and guidelines that apply to risk management, security assessment, and compliance testing.
- Objectivity and Independence – The auditor should be independent, meaning they cannot work for the audited agency and must follow auditing standards such as generally accepted government auditing standards (GAGAS).
- Sufficient Resources – Auditors need to have access to information and resources needed to complete an independent assessment. These include sufficient time, staff, and funding.
- Appropriate Scope – The audit should have a defined scope that is agreed upon by the audited agency and the auditor. It should be tailored to meet the specific needs of the organization being audited.
- Competent Personnel – Auditors need to be competent in the areas they are assessing. This includes having knowledge of information security and risk management, as well as the ability to apply relevant standards and guidelines.
What are the results of an audit?
The results of an audit should include an assessment of how well the organization is complying with applicable laws, directives, policies, and standards. It should also identify any areas where improvements are needed. The audit should also include a plan for addressing any issues found during the assessment process.
What does a FISMA report contain in security controls?
An audit report should summarize the scope of the audit and results from testing, as well as specific findings and action items that need to be addressed within 30 days of completing an audit. It should also include contact information for the auditors and agency management.
What is a FISMA remediation plan?
A FISMA remediation plan is a document that outlines how an organization will address any findings from the audit. The plan should include specific actions, timelines, and responsible parties for completing the tasks. It may also include a schedule for monitoring and reporting on progress.
Caveats, disclaimers, federal agencies & the federal government
At ESG | The Report, we believe that we can help make the world a more sustainable place through the power of education. We have covered many topics in this article and want to be clear that any reference to, or mention of the federal government vs. a federal agency vs. an official government organization, financial compliance and data security, information systems & security categorization, sensitive information on an official website or firm’s requirements and risk levels for state agencies in the context of this article is purely for informational purposes and not to be misconstrued as investment or any other legal advice or an endorsement of any particular company or service. Neither ESG | The Report, its contributors, or their respective companies nor any of its members gives any warranty with respect to the information herein and shall have no responsibility for any decisions made, or actions taken or not taken which relates to matters covered by ESG | The Report. Thank you for reading, and we hope that you found this article useful in your quest to understand ESG and sustainable business practices. We look forward to living in a sustainable world.
Dean Emerick is a curator on sustainability issues with ESG The Report, an online resource for SMEs and Investment professionals focusing on ESG principles. Their primary goal is to help middle-market companies automate Impact Reporting with ESG Software. Leveraging the power of AI, machine learning, and AWS to transition to a sustainable business model. Serving clients in the United States, Canada, UK, Europe, and the global community. If you want to get started, don’t forget to Get the Checklist! ✅