FedRAMP vs. FISMA: Choosing the Right Standard for Your Federal Clients

FedRAMP vs. FISMA: Choosing the Right Standard for Your Federal Clients

When pursuing federal clients or servicing existing federal clients, there are a number of unique compliance needs due to the sensitivity of the federal information. Standards such as FedRAMP and FISMA exist to create consistent security standards for organizations seeking federal agency clientele. FISMA, or the Federal Information Security Management Act of 2002 is the standard specifically used for federal agencies who are seeking an ATO, or an authority to operate by government agencies.

FedRAMP, or the Federal Risk and Authorization Management Program, is a government program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services.

FedRAMP vs. FISMA: Similarities

FISMA and FedRAMP have similarities in that they both share the same standard, utilizing the same controls set within NIST 800-53. These controls include:

  • Access Controls
  • Awareness and Training
  • Audit and Accountability
  • Security Assessment and Authorization
  • Configuration Management
  • Contingency Planning
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Physical and Environmental
  • Planning
  • Personal Security
  • Risk Assessment
  • System and Service Acquisition
  • System and Communications Protection
  • System and Information Integrity
  • Program Management

Additionally, both standards use the same requirements with the ability to offer prescriptive implementation levels depending on the risk within each system (low, moderate or high). Within each control family, the impact level and the number of controls tested can be broken down further. Below, you can review the number of controls tested at each impact level for both FISMA and FedRAMP.

Read More: Understanding Low, Moderate, and High Implementation Levels

Now that we understand the similarities among the two standards let’s begin to understand the differences.

FedRAMP vs. FISMA: Understanding the Differences

When becoming FISMA compliant, organizations are awarded an ATO from the specific federal agency to the organization, which is considered a one-to-one process. A one-to-one process means that each agency that an organization is seeking authorization from will have different requirements because of the unique needs that an agency may have, and thus multiple ATOs from multiple agencies must be maintained in order to keep those federal contracts. Thus, each authorization is done one at a time.

When becoming FedRAMP compliant, organizations are awarded an ATO that can be leveraged by any federal agency, which supports a “do once, use many” framework that provides a streamlined process for CSPs. FedRAMP, because of this framework, is more rigorous as it is intended to be used by any agency. In addition, FedRAMP is specifically designed with the needs of CSPs in mind, making it the appropriate assessment for cloud providers. Organizations are provided a P-ATO, provisional authorization to operate, or ATO, authorization to operate if a 3PAO’s, or third-party assessment organization, determines that the provider can demonstrate that the cloud services meet the baseline controls in FedRAMP. Once the 3PAO assesses and reviews the documentation, the results are submitted for final revision, at which time, an organization is awarded a P-ATO or ATO.

Additionally, FedRAMP’s authorization program requires that cloud providers receive an independent security assessment conducted by a 3PAO, or third-party assessment organization. Federal organizations are required to utilize companies that are FedRAMP-authorized when purchasing cloud services.

Becoming NIST 800-53 Compliant

As an accredited 3PAO, A-LIGN is able to manage your security needs and help you decide which standard is the best fit for your company. Understanding the differences between FedRAMP and FISMA is the first step to deciding which standard is appropriate for your organization based on organization type and compliance goals.

Regardless of the assessment that is right for your organization, the NIST guidelines allow organizations to use cloud services with increased security and efficacy. Contact the A-LIGN team today to discuss the benefits of FISMA or FedRAMP for your organization.