FISMA Compliance


  • Federal government agencies must comply with FISMA, but the law has been expanded to include others as well: state government agencies that administer federal programs, in addition to private vendors that maintain contracts with the federal government. However, those non-federal organizations do not have to validate compliance.

According to FISMA, a comprehensive information security program should include the following:

    • Establish a program for managing information security risk
    • Document policies and procedures
    • Select security controls for systems
    • Establish a security training program
    • Monitor controls on an ongoing basis
    • Establish a remediation program
    • Establish an incident response and reporting program
    • Establish a continuity-of-operations balance
  • <hr size=0 width=”100%” align=center>
  • Data Breaches Reported by Federal Agencies 2006-2012
  • FISMA also requires the National Institute of Standards and Technology (NIST) to create guidelines and standards that agencies use to protect their information assets. A recent revision to NIST’s SP 800 series of computer security publications, which assists agencies in their FISMA compliance through a risk-based approach, includes an increased focus on the insider threat, mobile devices, advanced persistent threats and supply-chain risk.

There also is increased emphasis on continuous monitoring. To validate compliance, the chief information officers of federal agencies are required to submit monthly data feeds from their automated security management tools into CyberScope, a web-based reporting tool released by the Office of Management and Budget. Inspectors general for each agency also are required to make an annual report through CyberScope.

The Department of Homeland Security (DHS) then assesses the CyberScope data and asks agencies to develop a plan-of-action to remedy any shortcomings. In addition, DHS conducts annual interviews with the CIOs and CISOs of each agency to determine their progress toward security best practices and FISMA compliance.

In 2011, the U.S. Government Accountability Office (GAO) found that data breaches at federal agencies rose 650 percent in five years. Along the way, the GAO, which is the independent investigatory arm of Congress, has audited numerous agencies, often resulting in findings of lax security. The GAO’s reports are made public and typically attract widespread press coverage. In its reports, the GAO has discovered the implementation of weak security controls, mostly around data/device protection, access limitations, patch management awareness training and risk assessments. A recent review by the GAO found that the 24 major federal agencies have achieved many of the pieces required for a successful information security program, but there are still improvements to be made.


  • There is no formal penalty structure for non-compliance, although legislation has circulated that would create that. However, agencies face reputational harm for failing to comply because an annual FISMA report is presented to Congress. In addition, agencies failing to comply face the possibility of budget cuts. As well, their information and security leaders may be forced to testify before federal lawmakers to explain their poor security posture.


  • Through a comprehensive portfolio designed to respond to modern-day security threats, GTIS helps government agencies ensure compliance with FISMA requirements.
Plan and Prepare

Conducting a Risk Assessment is the first step to identifying and implementing safeguards necessary to meet compliance. GTIS helps you find gaps that may exist between your current security posture and FISMA requirements. The customizable assessments, scaled individually for your government agency, include identification of key assets and IT systems, assessment of controls and frameworks and a review of third-party providers and incident response programs.

Address Gaps and Vulnerabilities

FISMA requires government agencies to establish a comprehensive information security program. Here are some of the ways we can help:


Helps you gain broad visibility of threats to your network and improve your compliance process through logging, monitoring, and analysis of events.

Network Access Control

Ensures managed and unmanaged devices connecting to the network comply with policies and do not introduce malware.

Data Loss Prevention

Allows you to discover and classify sensitive data and prevent it from leaving the network.

Web Application Firewall

Protects web applications against external attackers who may use vulnerabilities, such as SQL injection, to steal sensitive data.

Secure Web Gateway

Prevents bandwidth-hogging spam and data-stealing attacks from entering the network, while inspecting outbound content to ensure confidential data doesn’t exit.

Incident Readiness and Response

Prepares your staff to proactively identify the indications of a breach and contain it quickly and effectively.

Security Awareness Education

Instructs your employees and contractors to understand the threat of social engineering and follow best practices for security, including password management and the safe use of web and social media tools.