Federal contractors and government agencies that have access to sensitive data or sensitive government information must comply with the cybersecurity requirements established under the Federal Information Security Modernization Act (FISMA) and its enabling regulations. The Cybersecurity and Infrastructure Agency (CISA), National Institute of Standards and Technology (NIST), and various other federal agencies have published guidance as well, and Executive Order 14028 (issued on May 12, 2021) establishes additional requirements for maintaining FISMA compliance.
In short, establishing and maintaining FISMA compliance is a time-consuming and resource-intensive process, and federal contractors need to ensure compliance on an ongoing basis. To determine whether they are remaining FISMA compliant (and, if they aren’t, to determine what they need to do), federal contractors can (and should) conduct internal FISMA audits.
“Conducting regular FISMA audits is a key component of an effective FISMA compliance program. Federal contractors that use the audit process to their advantage can effectively manage their risk while keeping sensitive government data secure.” – Dr. Nick Oberheiden, Founding Attorney of Oberheiden P.C.
There are several steps involved in conducting a FISMA audit; and, for an audit to be effective, it must be resoundingly comprehensive. Overlooking systems, data storage facilities, or compliance failures can frustrate the purpose of the audit, and it can leave contractors believing they comply when in fact they are exposing sensitive government information (and themselves) to attack.
To conduct comprehensive and effective FISMA audits, there is a lot that federal contractors need to know. Here is some key information about the FISMA audit process:
The Federal Information Security Modernization Act applies to federal contractors that have access to sensitive government information. As the CISA explains, FISMA requires federal agencies and contractors, “to provide information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems.” The information covered under FISMA includes, but is not limited to, controlled unclassified information.
While federal contractors that have access to sensitive government information must conduct FISMA audits, they should rely on outside counsel to manage and oversee all aspects of the audit process. Not only is comprehensiveness critical, as we have already discussed, but federal contractors will need to rely on their counsel to evaluate their FISMA compliance programs and identify any compliance failures as well.
Simply put, a FISMA audit is a comprehensive examination of a federal contractor’s efforts to comply with the Federal Information Security Modernization Act and the rules and regulations promulgated thereunder. However, practically speaking, a FISMA audit is far from a simple process. Conducting an effective audit requires an in-depth understanding of the contractor’s IT systems, data storage facilities, and government business, and it requires equal knowledge of the various sources of legal authority that apply. When conducting FISMA audits, federal contractors should generally reference the government’s published guidance as well—including the FISMA metrics that CISA publishes and updates annually.
Federal contractors should conduct FISMA audits annually—both to assess the continued efficacy of their compliance programs and to document their ongoing efforts to maintain compliance. Contractors should also generally conduct audits when they: (i) modify their information systems, data storage facilities, or operating environments; (ii) execute major deployments of new hardware through which employees will access sensitive government information; (iii) gain access to new types of controlled information; or, (iv) CISA, NIST, or any other federal agency or authority issues significant updates to their regulations or FISMA guidance.
The answer to this question is not necessarily as straightforward as it may seem. While federal contractors must audit their own information systems, security controls for federal information systems, and operating environments, they must also examine third-party operating systems and data storage platforms (including managed services platforms and cloud servers). Again, comprehensiveness is key, and this is a theme you will see emphasized repeatedly. When conducting FISMA audits, federal contractors must examine all relevant hardware and software—whether located at their offices, in the field, or in third-party facilities.
FISMA audits are necessary for two primary reasons. The first is protecting the security of sensitive government information. Contractors that have access to this information must protect it, and they must generally deploy the same level of protection as the federal government under FISMA.
Second, federal contractors that fail to comply with FISMA can lose their government business. They can face other penalties as the result of ensuing federal audits and investigations as well. As a result, conducting FISMA audits is a key element of effective risk management for federal contractors. By conducting FISMA audits, federal contractors can ensure that they remain in compliance (and that they remedy any compliance deficiencies promptly), and this will allow them to manage their contract-related cybersecurity risk effectively.
Now that we’ve covered the who, what, when, where, and why of FISMA audits, we can now focus on how to audit FISMA compliance effectively. Conducting an effective FISMA audit is a multi-step process, and contractors must work with their outside counsel during each step to ensure that their audits lead to accurate conclusions.
With this in mind, some of the key steps involved in conducting a FISMA audit include:
Identifying All Relevant Internal Systems, Software Applications, and Hardware – As even a single compliance failure can expose sensitive government data to malicious intrusions, federal contractors must comprehensively identify all systems, software applications, and hardware that need to be reviewed. This starts with identifying all relevant assets internally.
Identifying All Relevant External Systems, Services, and Facilities – When conducting FISMA audits, federal contractors must identify all relevant external systems, services, and facilities as well. Even when federal contractors engage third-party data storage providers and cybersecurity vendors, contractors remain directly responsible for FISMA compliance.
Examining the Federal Contractor’s FISMA Compliance Documentation – Federal contractors need to ensure that their compliance documentation remains adequate in light of any changes to their operating environments, their risks, or the applicable FISMA rules or regulations. As new cybersecurity solutions come to market and new threats arise, these may necessitate changes to contractors’ FISMA compliance programs as well.
Addressing Any New FISMA Regulations or Guidance – The CISA issues updated FISMA metrics annually, and it is not unusual for new regulations or Executive Orders to alter federal contractors’ FISMA compliance burdens. Contractors must remain up-to-date on all pertinent FISMA compliance requirements and address any material changes as necessary.
Evaluating the Contractor’s System Security Plan and Cybersecurity Controls – A System Security Plan (SSP) is a key component of an effective FISMA compliance program, and FISMA requires that federal contractors adopt various cybersecurity controls. Both System Security Plan and Cybersecurity Controls should command particular attention during the FISMA audit process.
Assessing the Contractor’s Testing, Enforcement and Monitoring Efforts – Testing (including ground truth testing beyond the use of standard vulnerability scanning tools) is a key component of FISMA compliance as well. FISMA audits should focus on assessing the efficacy of contractors’ testing efforts, and they should thoroughly examine contractors’ enforcement and monitoring efforts as well.
Assessing the Contractor’s Log Management Capabilities – To maintain FISMA compliance, federal contractors should have robust log management capabilities. They should have systems in place to log all updates, patches, tests, and threats as a matter of course, and these systems should securely store all logged data in a manner that allows for efficient retrieval when necessary.
Reviewing the Contractor’s Certifications and Accreditations – Maintaining FISMA compliance may also require the maintenance of various certifications and accreditations. When conducting FISMA audits, contractors should ensure that they have all necessary certifications and accreditations, and they should confirm that all requisite certificates remain active.
Examining the Contractor’s Smart Patch Management Processes – FISMA audits should also examine federal contractors’ smart patch management processes. As the CISA notes, “Operations can be impacted by software patches that create unintended consequences to interoperability. However, unpatched systems can leave vulnerabilities exposed that can be exploited by adversaries.” As a result, when conducting audits, federal contractors must ensure not only that they have implemented all necessary patches for all relevant applications, but also that these patches have not inadvertently created new vulnerabilities.
Examining the Contractor’s Resilience – Finally, to ensure that their operations and secure environments are resilient, federal contractors should have documented incident response, disaster recovery, business continuity, and business impact analysis plans in place. As part of the FISMA audit process, federal contractors should review these plans; and, to the extent that they have implemented any of these plans since their most-recent audit, they should examine these plans’ efficacy in real-world scenarios.
This list is far from comprehensive. Establishing and maintaining FISMA compliance is not easy, and assessing FISMA compliance involves a similar level of difficulty. But, with the right approach, federal contractors can use the audit process to help them manage FISMA compliance effectively, and they can use their audit documentation to demonstrate compliance to their contracting agency (or other federal authorities) when necessary.
About this Author
Dr. Nick Oberheiden focuses his litigation practice on white-collar criminal defense, government investigations, SEC & FCPA enforcement, and commercial litigation. He has defended clients in PPP Loan Fraud cases and COVID-19 investigations. Nick also directs internal corporate investigations and he leads defense teams in whistleblower actions, corporate defense cases, as well as cases involving national security and elected officials.
Clients from more than 45 U.S. states have hired Nick to seek effective protection against government…
Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is www.NatLawReview.com intended to be a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional. NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us.
Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.
The National Law Review – National Law Forum LLC 3 Grant Square #141 Hinsdale, IL 60521 Telephone (708) 357-3317 or toll free (877) 357-3317. If you would ike to contact us via email please click here.