With the rise of cloud computing, there has been an increased emphasis within the government to transition to commercial cloud services. In fact, it is actually mandated within the government to move to cloud-based services if they are available to meet the mission need of the federal agency. This is all in an effort to cut costs within the government as they attempt to consolidate data centers and cut information technology costs.
With the expanded use of cloud services within the government, there was an increased need to be able to provide a standardized approach to evaluating the security posture of these cloud services as well as authorizing them for use within federal agencies. That is the primary focus of the Federal Risk and Authorization Management Program (FedRAMP). The Federal Information Security Management Act (FISMA) has been around since 2002, and also focuses on information security within government systems.
This article will provide an overview of both FedRAMP and FISMA and explain the primary similarities and differences between FedRAMP and FISMA. It will also briefly discuss control baselines comparisons (e.g. FISMA High vs. FedRAMP controls).
FedRAMP Overview
Put simply, FedRAMP is a government program organized under the General Services Administration (GSA) to provide oversight and direction to federal agencies and commercial cloud service providers (CSP) on how cloud-based services are evaluated for security and ultimately authorized for use within federal agencies.
It is designed to help federal agencies leverage the security evaluation of a commercial cloud service that has been authorized by another federal agency. It also provides a path for commercial cloud services to be authorized for use across the entire federal government.
The security posture of CSPs is evaluated by Third Party Assessment Organizations (3PAO) that have passed a rigorous accreditation process by the American Association of Laboratory Accreditations (A2LA).
3PAOs also provide a risk assessment based on the results of the security evaluation. This risk assessment serves as input to federal Authorization Officials (AO) since federal AOs are the only ones that can accept risk on behalf of their federal agency. If the agency AO deems the risk is acceptable for their operational environment, the CSP will receive a FedRAMP Authorization to Operate or ATO.
FISMA Overview
Legislation for FISMA passed in 2002 and thus became the first legislative action to assist the federal government in managing information security.
The phase one initiatives included the development of security guidelines and standards for use across the government. This guidance has become the foundation of government security programs and includes such foundational documents as the Federal Information Processing Standard (FIPS) 199 for categorizing information systems as well as the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 security and privacy control catalog.
The second phase of implementing FISMA included a focus on the Risk Management Framework (RMF) and how the released documentation supported the RMF process. The intent behind phase two was to develop standardized methods to determine whether security controls were implemented correctly and operating effectively. Additional initiatives produced tools and methods to assist in vulnerability management and a framework for testing security controls through automation.
How are FedRAMP and FISMA Similar?
Since both FedRAMP and FISMA are focused on information security in the government space, you can imagine that there are a lot of similarities. They both have the same end in mind — to authorize an information system for use within the government.
Whether via FedRAMP or FISMA, government AOs will issue an ATO once they determine that the risk posture for the system is acceptable within their operational environment. Both FedRAMP and FISMA leverage the documentation produced as part of phase one of FISMA (e.g. FIPS 199, NIST SP 800-53). These documents are foundational to the general processes supporting information security programs within the government.
Systems evaluated under FedRAMP or FISMA are categorized in accordance with FIPS 199. As part of the security categorization process, each information system is categorized as High, Moderate, or Low based on the high water mark of the security categories for each information type on the system.
Then, based on the security categorization of the information system, the applicable security controls from NIST 800-53 are applied to the information system. The controls are applied based on the categorization of the system as High Impact, Moderate Impact, and Low Impact. The number of controls assigned to an information system increase significantly from Low Impact to Moderate Impact and from Moderate Impact to High Impact.
How are FedRAMP and FISMA Different?
While FedRAMP and FISMA share significant similarities, there are also some specific distinctions between them. The primary difference between FedRAMP and FISMA is in their applicability.
Systems evaluated under FedRAMP are commercial cloud-based (IaaS, PaaS, SaaS) systems and can support the general business processes of government agencies and commercial companies alike.
Systems that fall under FISMA are traditionally on-premise (e.g. in a government data center) systems that were designed to address the business processes of a specific federal agency. These systems generally aren’t leveraged by multiple federal agencies either.
Within SP 800-145, NIST defines cloud computing as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” Within SP 800-145, NIST also defines the essential characteristics of cloud computing and the various service and deployment models. So, bottom line, if the system is cloud-based, it will be evaluated under FedRAMP.
For cloud-based systems evaluated under FedRAMP, agencies must work with the FedRAMP Program Management Office (PMO) as part of issuing an agency-specific ATO. The FedRAMP PMO is involved at key milestones throughout the assessment process such as the kickoff meeting, Security Assessment Report review, and the authorization process. Systems evaluated under FISMA, though, are evaluated completely within the jurisdiction of the agency issuing the ATO.
Regarding the controls defined in SP 800-53, the FedRAMP PMO has defined control parameters for a number of the controls whereas, under FISMA, federal agencies define the control parameters themselves. For example, the FedRAMP PMO has defined the specific authoritative time source for audit events and the frequency upon which internal information system clocks are compared with the authoritative time source [AU-8(1)]. Under FISMA, agencies are able to define the specific time source for audit events and the frequency in which the internal clocks are compared with the authoritative time source. For Moderate-Impact systems, the FedRAMP PMO has defined parameters for 119 of the 325 controls.
Another key difference between FedRAMP and FISMA is that FedRAMP assessments are performed by an independent 3PAO. 3PAOs must demonstrate compliance with ISO 17020 as well as meet other requirements defined by the FedRAMP PMO. Assessments performed under FISMA can be performed by any organization that performs security assessments; FISMA doesn’t require an accredited independent third party to perform assessments. Also, federal agency staff may also perform the security assessments.
Control Baseline Comparisons (FISMA High vs. FedRAMP)
The primary driver regarding the controls that are allocated to an information system is the categorization (High, Moderate, Low) of the system itself, but there are differences based on whether or not the system is evaluated under FedRAMP or FISMA.
The FedRAMP PMO has added a number of controls (over 50) to the moderate baseline control set as identified in the NIST 800-53 security control catalog.
For the high baseline, the FedRAMP PMO has added over 70 controls than what is identified in NIST 800-53 for high impact systems.
In addition, federal agencies can add additional controls to FedRAMP or FISMA evaluations based on their sensitivity to risk.
When compared strictly based on the categorization (e.g. moderate) of the system, there will be more controls applied under a FedRAMP assessment than a FISMA assessment.
Summary
Both FedRAMP and FISMA share a common goal — to reduce information security risk within federal information systems. Both FedRAMP and FISMA share common security guidance and documentation (e.g. FIPS 199 and SP 800-53) and both issue an ATO at the end of the assessment process.
However, the FedRAMP assessment process is focused on cloud-based systems that can support multiple federal agencies, while FISMA assessments are traditionally focused on on-premise information systems that support a single agency.
Whether your organization needs a FedRAMP or FISMA assessment, Linford & Company is an accredited FedRAMP 3PAO with the background and experience evaluating NIST 800-53 controls under FedRAMP and FISMA. Please contact us if you would like to know more about FedRAMP or FISMA assessments.
If you are looking for additional information regarding FedRAMP, read our other blog posts here:
- The FedRAMP SSP: Important Tips for a Successful Outcome
- An Expert Guide to a FedRAMP Readiness Assessment
- FedRAMP Compliance: What is it? Requirements, Process, & More
To learn more about FISMA Compliance, read our previous blog post here:
Ray Dunham started his career as an Air Force Officer in 1996 in the field of Communications and Computer Systems. Following his time in the Air Force, Ray worked in the defense industry in areas of system architecture, system engineering, and primarily information security. Ray leads L&C’s FedRAMP practice but also supports SOC examinations. Ray enjoys working with clients to secure their environments and provide guidance on information security principles and practices.