DOWNLOAD: Integrated FISMA Compliance and Security Management: Automation Requirements >>

FISMA
Agencies continue to struggle with FISMA - complying with ever evolving NIST guidance, emerging FIPS requirements, quarterly OMB reporting objectives and GAO audits – all while fighting the day-to-day security and privacy battle. Most agencies have discovered that initial compliance management programs, built around email, excel spreadsheets and other point solutions have proven to be inaccurate and inefficient at best. This situation has given rise to numerous initiatives across Federal Agencies to implement “enterprise class” automation for FISMA compliance management and oversight reporting. In particular, many agencies are struggling with multiple phases of the IT compliance life cycle including:

• Understanding regulations – NIST’s continuously evolving Information Security guidance and codify FIPS requirements while OMB continues to alter quarterly and yearly reporting specifications. Updated 800-26, 800-18, and 800-53A are but a few examples of the new or changing guidance
• Determining specific requirements – changing requirements, updated 800-26, 800-18, and 800-53A are but a few examples of the new or changing guidance
  
• Creating a control architecture – continuously revising security and privacy related policies, standards, processes and procedures to address new and changing mandates and security risks
  
• Documenting the audit approach – documenting an internal audit and control regimen that passes IG scrutiny and agencies will need to determine approaches and processes for auditing compliance with key policies
  
• Collecting audit evidence – collecting and managing the plethora of data necessary to pass IG and GAO audits and fulfill OMB report requirements is a resource intensive process. Completing 800-26 based assessments, ensuring timely and accurate C&A information and updating POA&M data for numerous systems are a few examples of this difficult task

The Business Impact
Due to the difficulty, knowledge and scope required, improving security and demonstrating compliance can be expensive and time consuming. An agency’s compliance scorecard is publicly published by Congress and FISMA has substantial budget-related penalties associated with non-compliance. Agencies have felt the impact of FISMA compliance initiatives.

• Increased costs – adequately protecting systems and reporting to numerous internal and external “oversight” bodies is forcing many agencies to increase spending and or reallocate resources away from other IT priorities
• Increased risk - increasing risk due to potential impacts of non-compliance with current FISMA requirements. Some agencies privately acknowledge that never-ending audit and reporting cycles, combined with ever changing technologies are having an adverse impact IT security preparedness

The Compliance Spectrum FISMA Solution
Compliance Spectrum’s FISMA solution also provides a comprehensive set of support services including: implementation, training, project management, FISMA program development, and ongoing program management. Compliance Spectrum's FISMA solution provides:

• Certification and accreditation management – provides C&A milestone tracking, reporting, and an enterprise dashboard. Also includes a version controlled, auditable C&A document management capability
  
• Policy and awareness management - provides an auditable repository for policies and controls, comprehensive templates for 'quick start' programs, and deployment and awareness tracking to ensure policies are “documented” and “implemented”
  
• Enterprise self-assessment – the module supports an 800-26 self-assessment and other risk and security assessments. Provides delegated, multi-assessor capability, assessment tracking and scoring and findings management that integrates seamlessly into the POA&M tracking module
  
• POA&M management - the module provides comprehensive POA&M tracking, tasking and reporting. Weaknesses can be derived from various internal and external audit and assessment activities and through integration with the Enterprise Self Assessment capability. Weaknesses and milestones are actively tasked and tracked and the OMB report can be automatically generated
  
• Vulnerability and incident management - provides a comprehensive vulnerability database, targeted alerting, and task management and status tracking

Compliance Spectrum’s Spectra automates key processes across the IT compliance life cycle.

For more solutions click on the compliance standards below:

Contact us to learn more >>