FISMA CYBERSECURITY ASSESSMENTS

Risk Cognizance work with FISMA vendors and subcontractors to meet the highest level FISMA compliance and accreditation services in support of Federal Information Security Management Act requirements. To achieve these aims, FISMA established a set of guidelines and security standards that federal agencies have to meet. The scope of FISMA has since increased to include state agencies administering federal programs like Medicare. FISMA requirements also apply to any private businesses that are involved in a contractual relationship with the government.

We have helped organizations achieve FISMA authorization from agencies such as the Social Security Administration, Department of Justice, General Services Administration, Health and Human Services, Department of Homeland Security, and others

Our team assist with the security assessment and the controls implementation of FISMA requirements, establish the necessary security objectives needed for compliance, and create a roadmap to meet and comply with FISMA requirements.


FISMA assessment and advisory services - Risk Cognizance’s risk management consultants and security analysts are experts provide assessment and compliance services with FISMA requirements to improve vendors and subcontractors security posture.
FISMA-Compliance-Audit-Readiness-Assessment-Services.jpg

FISMA assessment and advisory services

Risk Cognizance’s risk management consultants and security analysts are experts provide assessment and compliance services with FISMA requirements to improve vendors and subcontractors security posture.

FISMA Security Assessments of Federal Systems

FISMA compliance for vendors and subcontractors that provide information systems to agencies must prove a comprehensive annual assessments and remediation of risks identified based on FIPS 199, FIPS 200, and NIST SP 800-53 Revision 4.

FISMA Gap Analysis

Our auditors can evaluate your current policies and procedures to determine which areas already meet FISMA standards. A gap analysis covers topics from access controls and encryption methods to employee training procedures and incident response plans, and results in a documented remediation plan for management.

FISMA Risk Assessments

Risk assessments, are based on the NIST risk assessment framework, are required any time you make a change to your information system. Our auditors can help you assess the potential impact of a change; determine the likelihood of each vulnerability being exploited; and evaluate the potential impact of a breach. From there, you can determine which risks you can accept and which you can mitigate with compensating controls.

FISMA Compliance Audits

Once you’ve designed a FISMA-compliant information security plan, Risk Cognizance provide independent validation of your efforts. With third-party documentation that your policies and procedures meet the relevant requirements, formal auditing allows you to provide a higher level of assurance for your security posture.

FISMA NIST 800-53 Cybersecurity Assessments

  • Information System Inventory. System boundaries must be identified, and individual systems (and their owners and interfaces) must be ascertained.

  • Risk Categorization. Systems must be categorized based on an impact of a loss of confidentiality, integrity, or availability, using the guidance provided in FIPS 199 and NIST SP 800-60.

  • Security Controls. Based on the system’s risk categorization, a set of security controls must be evaluated, based on the guidance provided in FIPS 200 and NIST Special Publication 800-53.

  • Risk Assessment. Based on the output of the required security control assessment, system risks are assessed by calculating the likelihood and impact that any given vulnerability could be exploited, taking into account existing controls. All risks must ultimately be accepted or mitigated.

  • System Security Plan. Using the guidance provided in NIST SP-800-18, a system security plan must be developed. This is a living document, which includes plans of actions and milestones (POA&Ms) for any assessed risks.

  • Certification and Accreditation. Once all required artifacts have been created, the system may be accredited based on the guidance provided in NIST SP 800-37 — whereupon a system is approved for operation in a production environment.

  • Continuous Monitoring. All accredited systems must ultimately be monitored, to ensure ongoing compliance with identified security controls and baselines.

FISMA Compliance Audit and Readiness Assessment Services:

Information System Inventory: Every federal agency or contractor working with the government must keep an inventory of all the information systems utilized within the organization. In addition, the organization must identify the integrations between these information systems and other systems within their network.

Risk Categorization: Organizations must categorize their information and information systems in order of risk to ensure that sensitive information and the systems that use it are given the highest level of security. FIPS 199 “Standards for Security Categorization of Federal Information and Information Systems” defines a range of risk levels within which organizations can place their various information systems.

System Security Plan: FISMA requires agencies to create a security plan which is regularly maintained and kept up to date. The plan should cover things like the security controls implemented within the organization, security policies, and a timetable for the introduction of further controls.

Security Controls: NIST SP 800-53 outlines an extensive catalog of suggested security controls for FISMA compliance. FISMA does not require an agency to implement every single control; instead, they are instructed to implement the controls that are relevant to their organization and systems. Once the appropriate controls are selected and the security requirements have been satisfied, the organizations must document the selected controls in their system security plan.

Risk Assessments: Risk assessments are a key element of FISMA’s information security requirements. NIST SP 800-30 offers some guidance on how agencies should conduct risk assessments. According to the NIST guidelines, risk assessments should be three-tiered to identify security risks at the organizational level, the business process level, and the information system level.
Certification and Accreditation: FISMA requires program officials and agency heads to conduct annual security reviews to ensure risks are kept to a minimum level. Agencies can achieve FISMA Certification and Accreditation (C&A) through a four-phased process which includes initiation and planning, certification, accreditation, and continuous monitoring.

Be confident in your regulation and compliance and get back to growing business, we have helped organizations achieve FISMA authorization from agencies such as the Social Security Administration, Department of Justice, General Services Administration, Health and Human Services, Department of Homeland Security, and others.