If you are carrying out any sort of work for the federal government, there is a strong chance you need to keep the data in a FISMA data center. This means that you either need a private/collocated FISMA compliant data center or to use a public cloud service with a FISMA compliant data center.
FISMA started as the Federal Information Security Management Act (of 2002) and was then updated as part of the Federal Information Systems Modernization Act (of 2014). FISMA sets out cybersecurity standards for federal government agencies (including state agencies that administer federal programs). It, therefore, extends to any contractors that work in these sectors. Like FedRAMP, FISMA rules are based on NIST SP 800-53.
On its own, a FISMA data center, is not sufficient for contractors involved in the Federal Information Security Management Act (of 2002). They need to have a CMMC (Cybersecurity Maturity Model Certification) data center. The CMMC certification is based on NIST SP 800-171 and NIST SP 800-172.
Being able to demonstrate that you run or use a FISMA compliant data center can also be a competitive advantage in other areas. For example, broader state and local agencies are likely to be reassured by evidence that a contractor is FISMA compliant. Similar comments apply to businesses and other private organizations handling sensitive data.
In fact, storing your data in a FISMA data center can be a very effective defensive measure against unwittingly falling foul of FISMA. Ignorance is unlikely to be an excuse here (even if it’s demonstrably true), especially not at the enterprise level.
Before you decide whether or not you want to run a FISMA data center, you will need to think about whether or not you realistically can. You will also need to think about whether you can commit the necessary resources to completing the annual evaluations required of FISMA compliant data centers. These must be conducted by either an external auditor or the agency Inspector General.
Unfortunately, there is no one-size-fits-all approach to creating a FISMA data center. Even if there were, it would probably be continually updated to reflect the ever-changing nature of IT threats. As it is, running a FISMA data center essentially means being able to demonstrate that you can capably manage key areas of cybersecurity.
Information system inventory
You can only protect something if you know you have it. FISMA, therefore, requires contractors to create and maintain an accurate inventory of all the systems used in its work for the federal government. This should include the boundaries of and connections between different system components.
A FISMA data center does not need to apply the very highest levels of data security to all federal data. It simply needs to apply an appropriate level of data security for the threat posed to the data. To do this, it needs an effective strategy for assessing risk.
This is essentially a corollary of the previous point. It’s not enough just to have a strategy for assessing risk effectively, you need to be able to apply it. That means you need to ensure that there is somebody who takes overall responsibility for making sure that it happens. You also need to ensure that the person has sufficient resources to do their job effectively.
Similar comments apply here. In the real world, a security breach occurs when somebody finds a crack in an organization’s security defenses. The more disjointed an organization’s security defenses are, the likelier it is that an attacker will be able to find a point of entry.
It, therefore, follows that the most effective security controls are driven by an overarching, holistic security plan. This is what FISMA requires.
FISMA is underpinned by NIST SP 800-53 but businesses should follow any relevant NIST guidelines and implement any relevant NIST controls.
Security systems are only as strong as their individual components. That means any component introduced to a FISMA data center has to be proven to be able to meet a suitable standard of security.
This is standard in any form of security compliance program including other programs run by the federal government (e.g. CMMC and FedRAMP). Businesses must stay aware of developing threats and update their systems to cope with them.
Should You Become FedRAMP PaaS Compliant?
Discover the DataBank Difference today:
Hybrid infrastructure solutions with boundless edge reach and a human touch.