Easing into FISMA and FedRAMP? It's possible.

concept cybersecurity art

Across the federal government, managers are worrying about how to comply with new forthcoming security standards, including the possible reform of the Federal Information Security Management Act (FISMA) and the Federal Risk and Authorization Management Program (FedRAMP), even as their budgets shrink and pressure mounts to incorporate new technologies. While the transition may not be seamless, insiders say it does not have to be the struggle some fear.

There is no doubt the new rules will be disruptive. Among the many new requirements between the two measures are directives for securing data and other digital assets, adhering to compliance reporting, implementing security efforts that likely include new capabilities, and working with approved technology providers who have passed rigorous testing. Agencies also must either retrofit legacy systems and rework existing contracts or move to completely new versions of both. All around, the new standards are disruptive, most agree.

FISMA reform is still making its way through Congress, but if the legislation passes, the effect on agencies will be significant.

"It's a huge change from doing a FISMA scorecard last December to implementing real-time scanning and continuous diagnostic monitoring this year," Robert Duffy, CIO in the Homeland Security Inspector General's office, said at a recent industry event in Washington. "It's changing how we look at the network layer, what people are doing and the network piece that has become embedded with everything else that supports the mission. It's exciting in one sense because we're strengthening security...but also presents challenges going forward in what skill sets you really need to work the mission."

It is not only agencies that must contend with change – under FedRAMP, which pertains to government cloud security, providers undergo thorough third-party assessments to ensure they meet all new requirements before receiving accreditation and approval to be a cloud vendor for agencies.

Agencies and companies alike are faced with a decision that really only has one option: get on the security train, overcoming issues like upfront investment, cultural resistance to change and a steep learning curve on numerous and complex controls, standards and requirements.

"It's like 4,000-ft. sheer cliff glacier: This looks like a big scary thing coming at me, but it doesn't look like it's moving, so I ignore it. I look up again, and now it looks closer," said Ken Ammon, chief strategy officer at Xceedium. "But this all is going to totally change the landscape; there's no stopping it because it makes all the sense in the world. Whatever the downsides and risks are, we can navigate them all. So you can either figure out how to climb on the glacier and ride it, or be paved over."

While FedRAMP and FISMA are distinct initiatives, they are closely tied: FedRAMP is a security standardization directive specifically for cloud derived from FISMA's controls and baselines.

Under FedRAMP, cloud service providers must apply for authorization, which is granted by the joint authorization board (JAB), while third-party assessment organizations (3PAOs) independently verify and validate security controls. Eventually, other requirements, including continuous monitoring will be incorporated as well.

According to Maria Roat, director of FedRAMP at the General Services Administration, the measure is going to make things significantly easier for agencies. Once a cloud services provider receives 3PAO approval from one agency, other organizations are able to take advantage of that, reviewing their offerings and requirements for their own use, she said.

"This really goes back to the 'do once, use many times' – that's really a driver for the FedRAMP program," Roat said May 8 on a panel at an industry event in Arlington, Va.

"This is accreditation as a service," added Zachary Brown, chief information security officer at the Consumer Financial Protection Bureau. "Cloud, shared services, everything we're doing now is really bridging the public and private sectors more quickly than probably a lot of us feel comfortable doing. That means that we need to get familiar with [each other's] vernacular. You need to all come from a common ground."

Most officials will acknowledge the transition is daunting – FISMA alone has more than 600 security controls. But managers have to start out with smaller steps, including in the partnerships between government and industry, according to Dan Waddell, senior director of information assurance and cybersecurity at eGlobalTech.

"You have to start the conversation with data and risk – and not, 'Oh, you have to fill out this 350-page template,'" Waddell said. "Yes, we do, but you have to break it down into terms of this is the type of data we're looking for, this is information we're looking for – you have to break it down into a conversation [everyone] is able to understand and support the process to make things easier."

There also is denying that becoming compliant will involve upfront investment, but officials say that the savings end up paying for themselves.

"When you talk about sequestration and the effects of cutting budgets, where FedRAMP and FISMA come in it seems like a tremendous overhead," said Steven Hernandez, CISO and director of information assurance at the Health and Human Services Department's Inspector General office. "In terms of the efficiency we're getting out of this, that's tremendous...we're literally spending 10 percent of the time and resources on the review that we were before."

FedRAMP went into effect in June 2012.

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

The Fed 100

Read the profiles of all this year's winners.


  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group