What is the Difference Between FISMA and FedRAMP?

  • FISMA is a federal law that mandates all federal agencies adhere to guidelines to strengthen the security of their systems. FedRAMP is a government-wide program that provides a standardized approach to providing security in the cloud.
  • Both FISMA and FedRAMP were developed with the same end goal – protecting government data and reducing information security risk within federal information systems. Both depend on the NIST guidelines; however, there is a distinct contrast between the two in terms of federal policy, security controls, and authorization.
  • FISMA compliance assessments are performed by the agency directly or by any third party who conducts security assessments, while FedRAMP assessments must be performed by a 3PAO. Some agencies may have an internal requirement to use a 3PAO for all FedRAMP systems; however, a 3PAO is not required for all agency ATOs. Always verify with the approving agency prior to engaging an auditor.
  • Federal agencies looking for a FedRAMP-compliant product or service will likely also expect it to be FISMA-compliant. Cloud service providers should comply with both FISMA and FedRAMP regulations to maintain an Authority to Operate (ATO) from the U.S. government.

FISMA/NIST SP 800-53

The Federal Information Security Management Act (FISMA) of 2002—now known as the Federal Information Security Modernization Act of 2014—defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats, including cyber-security threats. It mandates all federal agencies to know the security risks that are posed to their systems and take appropriate steps to mitigate that risk.

In order to receive an Authority to Operate (ATO), vendors and contractors are required to demonstrate FISMA compliance via the security assessment and authorization process as outlined in the Risk Management Framework (RMF/SP 800-37). FISMA requires the use of National Institute of Standards and Technology Special Publication 800-53 (NIST SP 800-53), “Security and Privacy Controls for Federal Information Systems and Organizations.”

DirectDefense consultants will work closely with your organization or agency to ensure FISMA compliance.

Through a full range of offerings, our security experts will evaluate and determine system requirements, build out the components and assess overall readiness of systems. Choose from the following FISMA Assessment and Authorization services:

Pre-Assessment

  • FIPS 199 Security Categorization/High Value Asset Determination
  • E-Authentication Workbook
  • Business Impact Analysis (BIA)
  • Contingency Plan (CP)
  • System Security Plan (SSP)
  • Privacy Impact Analysis
  • Interconnection Security Agreement (ISA)/Memorandum of Understanding (MOU)
  • Security & Privacy Control Selection
  • Security Policies and Procedures

FISMA Security Assessment

  • Security Assessment Plan (SAP)
  • Security Assessment Report (SAR)
  • Plan of Action and Milestone (POA&M) Development
  • Penetration Testing
  • Vulnerability/FISMA Compliance Scanning
  • Quality Assurance Memorandum
  • Finalize Security Assessment & Authorization Package

Post-Assessment/Ongoing Security

  • Continuous Monitoring Activities
    • Scanning, security control review

  • Plan of Action and Milestone (POA&M) Management
    • Finding remediation and/or mitigation recommendations
    • POA&M documentation
    • POA&M maintenance

  • Cyber Security Strategy and Roadmap Development

FedRAMP Compliance

  • FedRAMP Education Session
    • FedRAMP security assessment framework
    • Maintaining FedRAMP authorization

  • Security Documentation Development and/or Updates
    • Information system policies/procedures
    • Required FedRAMP documentation (FedRAMP templates)

  • Security Control Tailoring and Implementation Support
    • Identification of applicable security controls
    • Designing compensating controls
    • Identifying inherited and common controls
    • Developing justification for security control exceptions and/or risk acceptance

  • Audit Preparation: Internal Personnel Assessment Preparation
    • Mock interviews prior to engaging with auditors

FedRAMP Testing Services

  • Vulnerability Scanning
    • Network vulnerability scanning, application scanning, and database scanning

  • Penetration Testing
    • Network, mobile application, and web application penetration testing and social engineering to align with “FedRAMP Penetration Test Guidance”

  • Security Control Assessments for Agency Authorizations
    • Please note: A 3PAO is not required for Agency ATOs, however, some agencies may have an internal requirement to use a 3PAO for all FedRAMP systems. Always verify with the approving agency prior to engaging an auditor.

  • Plan of Action and Milestone (POA&M) Management
    • Finding remediation and/or mitigation recommendations
    • POA&M documentation
    • POA&M maintenance

Please note that if your organization is currently working to achieve FedRAMP Certification via a Federal Agency Sponsorship, DirectDefense can perform the assessment. We ask that you confirm with your Sponsoring Agency in case they have additional 3PAO requirements.