Even if you aren’t selling to a government agency, it’s important to understand government regulations. The government is the largest single creator, collector, consumer and circulator of information in the country. If its policies change, there’s a good chance those changes will trickle down to the commercial sector. Add to that the alphabet soup of acronyms that come with it, FISMA, FedRAMP, NIST, FIPS, etc.
At Schellman, we often get questioned about the difference between FedRAMP and FISMA, and thought it beneficial to highlight the key differences.
FISMA stands for the Federal Information Security Management Act. Enacted in 2002, it outlines mandatory guidelines to strengthen the security of government information systems. FISMA depends on multiple documents and standards; federal agencies, departments and contractors are required to follow this framework. First and foremost, FISMA is a law that applies to government agencies.
In terms of FISMA’s applicability to the private sector, there are three key documents and standards FISMA uses when considering obtaining a service outside of the federal government (referred to as the authorization process). They include:
- Federal Information Procession Standard (FIPS) 199:
Ranking information (low, medium or high) based on the impact a vulnerability or threat would have on the infrastructure.
- FIPS 200:
Outlining minimum security control requirements (in 17 security-related areas).
- NIST SP 800-53 Rev. 4:
Defines the baseline security controls, which are chosen from FIPS 199 and FIPS 200.
FedRAMP stands for Federal Risk and Authorization Management Program. In short, it’s a centralizes assessment program for cloud providers that mandates a security assessment be performed by a third-party assessment organization (3PAO) to sell government cloud services to a federal agency. It launched in 2011, and requires that all federal agencies that currently use, or plan to use the cloud first run through the FedRAMP program to assess security, which involves four steps. If the provider passes, they are awarded a Provisional Authority to Operate (P-ATO).
- Initiating: applying for the assessment
- Assessing: hiring a third-party assessment organization (3PAO) to perform an independent security assessment
- Authorizing: sending the completed assessment to the FedRAMP Joint Authorization Board (JAB) or other certified agency
- Leveraging: continuing partnership between executive departments and agencies for ATO permissions
Key Differences Between FedRAMP and FISMA
Both FedRAMP and FISMA were developed as a framework for assessing cloud security to give Authority to Operate (ATO), and both depend on the NIST guidelines, but as you can see, the authorization processes are different.
FISMA assessments are performed by the agency directly or any third party who conducts security assessments (including an individual agency’s senior officials). But FedRAMP assessments must be performed by a 3PAO.
FedRAMP is a “do once, use many times” framework for the assessment of cloud products and services and as such, it’s a far more stringent authorization process. FISMA requires that agency program officials, CIOs and inspectors conduct annual reviews of the information security program and report results to the Office of Management and Budget (OBM). All federal agencies, departments and contractors are required to comply with FISMA standards (whether they are a cloud service provider or not), whereas FedRAMP is reserved only for agencies or cloud service providers who currently use or plan to use a cloud solution to host federal information.
Finally, FedRAMP doesn’t deploy new controls, but it adds controls from the NIST Baseline Controls, and actually uses more controls than FISMA. FedRAMP authorizations also only address low to moderate impact levels, while FISMA is for low, moderate or high.
When vetting compliance services for your organization, your best bet is finding a provider that is a FedRAMP Program Management Office (PMO), an approved 3rd Party Assessment Organization (3PAO), and globally licensed PCI Qualified Security Assessor, and an ISO Certification Body. They will have the experience and certifications necessary to get your organization up to date on security standards and consistently compliant.