FISMA-based Security Assessments
Information security (and specifically cybersecurity) continue to grow in importance. With the continued and increasing threat to critical infrastructure, the requirements for improved security for government contractors has also increased. Over the past five years, U.S. Government contractors have seen additional requirements certified systems that can meet requirements of the NIST Cybersecurity Framework (CSF).
Originally, the CSF was intended for U.S. companies that are considered part of U.S. critical infrastructure (e.g., communication, information technology, defense industrial base, etc.). Many companies, especially service companies, have had limited interaction with CSF because they did not operate systems requiring independent NIST SP 800-53 based FISMA or FedRAMP accreditations. With high profile, cyber incidents on the rise, requirements for implementation of the CSF are becoming more frequent for government contractors.
On December 30, 2015, DoD amended both DFARS 252.204.7008 (Compliance with Safeguarding and Covered Defense Information Controls) and DFARS 252.204.7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) giving contractors until December 31, 2017, to fully implement all NIST SP 800-171 requirements on the covered contractor information system. Notwithstanding the 12/31/2017 phase-in period, contractors must notify DOD within 30 days after contract award “of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award”. The NIST SP 800-171 organizes requirements into 14 families, with each family containing basic security requirements derived from both NIST SP 800-53 and FIPS 200.
i3 supports the assessment of your security controls utilizing the 800-53 or 800-171 standards, as applicable. We conduct organizational risk assessments using the NIST 800-37 Risk Management Framework and appropriately classify information systems using FIPS 199 and NIST 800-60. We categorize security controls using FIPS 200 and conduct assessment of security controls using NIST 800-53 or 800-171. Based on the results of the assessment, i3 develops fully compliant policies and procedures to support FISMA compliance and meet government security compliance documentation. We support the recovery of any findings by utilizing the Plan of Action and Milestones (POA&M) process. For a full assessment and recovery project, we follow the 6-step process summarized in our 'i3 FISMA Security Assessment and Recovery Roadmap'.