Do you know the difference between FISMA and RMF? We’ve got you covered! Learn how FISMA is related to RMF, the certification process, and the benefits to your agency. 

What is FISMA and how are the regulations related to RMF (the Risk Management Framework)?  If your organization pursues federal contracts or works with a federal agency, the sheer number of security compliance certifications can seem overwhelming.  Understanding the frameworks, processes, and benefits of these certifications can seem daunting.  That’s why we’re here to help break down a well-known federal program, the Risk Management Framework (RMF), and the law that outlines the requirements that agencies must meet to achieve compliance, the Federal Information Security Modernization Act (FISMA).

FISMA requires federal agencies to develop, document and implement an agency-wide program to provide security for the information and systems that support the operations and assets of the agency. This includes assets provided or managed by another agency, contractor or other sources.  

After its initial launch, FISMA was amended to include several modifications that modernize federal security practices to address ever-evolving security concerns. These changes resulted in less overall reporting, strengthened the use of continuous monitoring in systems, and increased focus on the agencies for compliance and documentation that is centered on the issues caused by security incidents.  

What is RMF? 

RMF was designed to effectively bring together all of the FISMA-related security standards and guidance to promote the development of comprehensive and balanced information security programs by agencies. According to NIST.gov, the stated goals are as follows: 

• To improve information security 
• To strengthen risk management processes 
• To encourage reciprocity among federal agencies 

More simply put, FISMA establishes the standards and requirements of an agency’s cybersecurity program and RMF helps determine how that program is implemented to meet those standards and requirements.  

What is the RMF Process? 

Essentially, RMF effectively transforms traditional Assessment and Authorization (A&A) programs into a more palatable six-step life cycle process that starts with preparation and consists of: 

1. The categorization of information systems 
2. The selection of security controls 
3. The implementation of security controls 
4. The assessment of security controls 
5. The authorization of information systems 
6. The monitoring of security controls  

RMF has currently been implemented across the major sectors of the federal government, including: 

• Federal “civil” agencies 
• Intelligence Community (IC) agencies 
• Department of Defense (DoD) components 

If your agency falls under these parameters, it’s likely they rely on FISMA and RMF approved standards when it comes to your cybersecurity systems and procedures. 

What are the FISMA Requirements within the RMF Process? 

In order to comply with FISMA, an organization must go through the Assessment and Authorization (A&A) process with a Federal agency. To make this process as simple as possible, a Federal cybersecurity assessment can be divided into four general phases:  

Phase I: Initiation Phase 

• This phase includes preparation, resource identification and system analysis.  
• This ensures that all senior officials are on the same page and agree with the drafted security plan.  
• Testing should be performed before certain actions such as identifying key security officers, conducting an initial risk assessment, or an independent audit.  

Phase II: Security Assessment Phase 

• This phase includes security control Assessment and Authorization (A&A) documentation. 
• Entities must verify that system controls are properly implemented as outlined during the initiation phase.  
• Any discovered deficiencies in security must be corrected.  
• At the end of the certification phase, risks to the agency, its systems and individuals will be obvious—which will allow for a clear decision-making process.  
• When concluding this phase, the Authorizing Official will review any necessary security updates or adjustments.  

Phase III: Security Authorization Phase 

• This phrase includes a decision regarding authorization and documentation.  
• Entities must determine if the remaining risks post-implementation of the security controls from phase 2 are acceptable.  
• The information system owner, information system security officer, and security controls accessor (SCA) provide collaborative information to the authorizing official, who then determines if the final risk level is within the “acceptability of risk” boundary.  
• The goal of this phase is to reach the required authorization to operate.  
• A Federal agency may also issue an interim ATO at their discretion for a variety of reasons.  Under this interim ATO, the agency outlines whatever actions must be completed to become fully authorized.   
• If those actions are not completed by the agreed upon deadline, the Authorizing Official may deny authorization of the system.  
• By the end of this phase, all documentation from phases 1 and 2 must be compiled into a final security authorization package—including an authority to operate decision letter.  

Phase IV: Continuous Monitoring Phase 

• This phase includes system configuration, security management, monitoring and reporting. 
• Maintaining a high level of security through monitoring security controls, documenting any updates and determining if any new vulnerabilities develop is this phase’s focus.  
• Detailed documentation is key, including tracking the current hardware, software or firmware version in use.  
• Officers must also note physical modifications, like new computers or facility access changes.  

The Benefits of FISMA/RMF Compliance 

Although regulatory compliance is often viewed as a complicated undertaking for agencies, FISMA/RMF compliance is a completely different situation. RMF compliance by meeting FISMA requirements translates to heightened readiness for current and future cyber threats, with many benefits: 

• Security: FISMA’s strict criteria and standards can greatly enhance an agency’s cybersecurity systems. Even physical disasters aren’t long-term setbacks—with FISMA’s regulations met, agencies can recover critical data almost instantaneously even after catastrophic damage to the tangible parts of their systems.  
• Reputation Management:  Reputation management and word-of-mouth are an integral part of business management.  The general public is becoming increasingly knowledgeable on cybersecurity issues, such as data privacy, and a data breach could result in a negative outlook on  your agency.  
• Scalability: One of the benefits of FISMA is that it provides different implementation options depending on the levels of potential impact for an organization or individual if there were a security breach. A breach of security could be a loss of confidentiality, integrity, or availability. The three FISMA implementation levels are: low, moderate and high.   
• Understanding the Competition.  In the process of categorizing risks, you will gain a valuable understanding of the marketplace, giving you an advantage over your competitors.  

Achieving RMF Compliance 

For organizations looking to win government contracts, the RMF compliance framework provides clear requirements for the development, documentation and implementation of an information security system for its data and infrastructure.