FISMA Certification: Understanding Low, Moderate and High-Impact Systems
FISMA, or the Federal Information Security Management Act of 2002, assesses the controls outlined in NIST 800-53. You can review those requirements in Figure 1, below.
One of the benefits of FISMA is that it provides different implementation options depending on the levels of potential impact for an organization or individual if there were a security breach. A breach of security could be a loss of confidentiality, integrity, or availability. The three FISMA implementation levels are: low, moderate and high.FISMA established security guidance for federal entities and their agencies to adhere to, and thus organizations looking to win government contracts must adhere to the standards. The focus of this program is to improve the security of information through the creation of clear standards that can be used by all deferral agencies, in order to protect the security of information and information systems.
Low
Low-impact systems are systems that, if compromised in some way, would only have limited adverse effects on the organization or individuals.
Moderate
Moderate-impact systems with a breach in security result in a serious adverse effect on an organization’s operations, organizational assets or individuals.
High
High-impact systems are of critical importance to a government entity. A breach of any kind would result in severe or catastrophic amounts of damage to the organization, and could potentially result in a shutdown of operations, significant fiscal loss, physical damage to individuals, or a severe loss of intellectual property.
Achieving FISMA Certification
For organizations looking to win government contracts, FISMA compliance provides clear requirements for the development, documentation and implementation of an information security system for its data and infrastructure.