Easing into FISMA and FedRAMP? It's possible.

concept cybersecurity art

Across the federal government, managers are worrying about how to comply with new forthcoming security standards, including the possible reform of the Federal Information Security Management Act (FISMA) and the Federal Risk and Authorization Management Program (FedRAMP), even as their budgets shrink and pressure mounts to incorporate new technologies. While the transition may not be seamless, insiders say it does not have to be the struggle some fear.

There is no doubt the new rules will be disruptive. Among the many new requirements between the two measures are directives for securing data and other digital assets, adhering to compliance reporting, implementing security efforts that likely include new capabilities, and working with approved technology providers who have passed rigorous testing. Agencies also must either retrofit legacy systems and rework existing contracts or move to completely new versions of both. All around, the new standards are disruptive, most agree.

FISMA reform is still making its way through Congress, but if the legislation passes, the effect on agencies will be significant.

"It's a huge change from doing a FISMA scorecard last December to implementing real-time scanning and continuous diagnostic monitoring this year," Robert Duffy, CIO in the Homeland Security Inspector General's office, said at a recent industry event in Washington. "It's changing how we look at the network layer, what people are doing and the network piece that has become embedded with everything else that supports the mission. It's exciting in one sense because we're strengthening security...but also presents challenges going forward in what skill sets you really need to work the mission."

It is not only agencies that must contend with change – under FedRAMP, which pertains to government cloud security, providers undergo thorough third-party assessments to ensure they meet all new requirements before receiving accreditation and approval to be a cloud vendor for agencies.

Agencies and companies alike are faced with a decision that really only has one option: get on the security train, overcoming issues like upfront investment, cultural resistance to change and a steep learning curve on numerous and complex controls, standards and requirements.

"It's like 4,000-ft. sheer cliff glacier: This looks like a big scary thing coming at me, but it doesn't look like it's moving, so I ignore it. I look up again, and now it looks closer," said Ken Ammon, chief strategy officer at Xceedium. "But this all is going to totally change the landscape; there's no stopping it because it makes all the sense in the world. Whatever the downsides and risks are, we can navigate them all. So you can either figure out how to climb on the glacier and ride it, or be paved over."

While FedRAMP and FISMA are distinct initiatives, they are closely tied: FedRAMP is a security standardization directive specifically for cloud derived from FISMA's controls and baselines.

Under FedRAMP, cloud service providers must apply for authorization, which is granted by the joint authorization board (JAB), while third-party assessment organizations (3PAOs) independently verify and validate security controls. Eventually, other requirements, including continuous monitoring will be incorporated as well.

According to Maria Roat, director of FedRAMP at the General Services Administration, the measure is going to make things significantly easier for agencies. Once a cloud services provider receives 3PAO approval from one agency, other organizations are able to take advantage of that, reviewing their offerings and requirements for their own use, she said.

"This really goes back to the 'do once, use many times' – that's really a driver for the FedRAMP program," Roat said May 8 on a panel at an industry event in Arlington, Va.

"This is accreditation as a service," added Zachary Brown, chief information security officer at the Consumer Financial Protection Bureau. "Cloud, shared services, everything we're doing now is really bridging the public and private sectors more quickly than probably a lot of us feel comfortable doing. That means that we need to get familiar with [each other's] vernacular. You need to all come from a common ground."

Most officials will acknowledge the transition is daunting – FISMA alone has more than 600 security controls. But managers have to start out with smaller steps, including in the partnerships between government and industry, according to Dan Waddell, senior director of information assurance and cybersecurity at eGlobalTech.

"You have to start the conversation with data and risk – and not, 'Oh, you have to fill out this 350-page template,'" Waddell said. "Yes, we do, but you have to break it down into terms of this is the type of data we're looking for, this is information we're looking for – you have to break it down into a conversation [everyone] is able to understand and support the process to make things easier."

There also is denying that becoming compliant will involve upfront investment, but officials say that the savings end up paying for themselves.

"When you talk about sequestration and the effects of cutting budgets, where FedRAMP and FISMA come in it seems like a tremendous overhead," said Steven Hernandez, CISO and director of information assurance at the Health and Human Services Department's Inspector General office. "In terms of the efficiency we're getting out of this, that's tremendous...we're literally spending 10 percent of the time and resources on the review that we were before."

FedRAMP went into effect in June 2012.

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

The 2015 Federal 100

Meet 100 women and men who are doing great things in federal IT.


  • Shutterstock image (by venimo): e-learning concept image, digital content and online webinar icons.

    Can MOOCs make the grade for federal training?

    Massive open online courses can offer specialized IT instruction on a flexible schedule and on the cheap. That may not always mesh with government's preference for structure and certification, however.

  • Shutterstock image (by edel): graduation cap and diploma.

    Cybersecurity: 6 schools with the right stuff

    The federal government craves more cybersecurity professionals. These six schools are helping meet that demand.

  • Rick Holgate

    Holgate to depart ATF

    Former ACT president will take a job with Gartner, follow his spouse to Vienna, Austria.

  • Are VA techies slacking off on Yammer?

    A new IG report cites security and productivity concerns associated with employees' use of the popular online collaboration tool.

  • Shutterstock image: digital fingerprint, cyber crime.

    Exclusive: The OPM breach details you haven't seen

    An official timeline of the Office of Personnel Management breach obtained by FCW pinpoints the hackers’ calibrated extraction of data, and the government's step-by-step response.

  • Stephen Warren

    Deputy CIO Warren exits VA

    The onetime acting CIO at Veterans Affairs will be taking over CIO duties at the Office of the Comptroller of the Currency.

  • Shutterstock image: monitoring factors of healthcare.

    DOD awards massive health records contract

    Leidos, Accenture and Cerner pull off an unexpected win of the multi-billion-dollar Defense Healthcare Management System Modernization contract, beating out the presumptive health-records leader.

  • Sweating the OPM data breach -- Illustration by Dragutin Cvijanovic

    Sweating the stolen data

    Millions of background-check records were compromised, OPM now says. Here's the jaw-dropping range of personal data that was exposed.

  • FCW magazine

    Let's talk about Alliant 2

    The General Services Administration is going to great lengths to gather feedback on its IT services GWAC. Will it make for a better acquisition vehicle?

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above