This document discusses FISMA, FIPS, and NIST standards for information security compliance for US federal agencies and contractors. It provides an overview of key concepts: FISMA sets requirements for agency security programs, relying on NIST publications for guidance. FIPS are mandatory security standards for non-military agencies. NIST develops FIPS and additional guidelines. Systems must be inventoried, risks assessed and categorized, and minimum security controls from NIST SP 800-53 implemented. Ongoing monitoring is also required to maintain compliance. The document advises meeting FIPS standards first and prioritizing security efforts based on risk to work for the US government.

1. Working for Uncle Sam
FIPS/FISMA 101
Kenneth Silsbee
Principal Consultant, Yeoman Security Consulting
ksilsbee@yeomansecurity.com

2. Who Am I?
Kenneth Silsbee
In IT for over 20 years.
In Information Security over 10 years.
Over 10 years teaching business management and security.
6 years consulting, Built 2 software security programs from
scratch.
Worked in numerous Fortune 500 companies and 2 startups.
I’ve seen telecommunications, aerospace, manufacturing,
insurance, and commercial software.
Recent efforts in HIPAA, FISMA, and PCI compliance.
Security IT leadership & Program Management,
specializing in software and data protection.

3. FISMA-FIPS, FIPS-FISMA. . .
I’m Sooo Confused!!
E-Government Act of 2002
 Recognized importance of information security to the US
 Every federal agency and contractor needs a security program
 FISMA part of the act.
FISMA (Federal Information Security Management Act)
 Sets the requirements for an overall risk-based program to
manage information security
 Specifies the framework of policies and procedures to address
security risks
FIPS (Federal Information Processing Standards)
 Government standards for computer systems used by
non-military government agencies and contractors
 FIPS 100 document series are required standards

4. And Then There is NIST
National Institute of Standards and Testing
 Computer Security Division
 Develops standards and guidelines for Federal
computer systems
 Creates FIPS where no acceptable industry standards
or solutions exist
 Using voluntary industry standards (eg ANSI) encouraged
Key NIST Publication Types
 FIPS 100 Series Publications on
mandatory security standards
 ITL (Information Technology Laboratory) Security Bulletin
– special topics
 800 Series Special Publications on security

5. The Link Between FISMA,
FIPS, and NIST
FISMA
Relies on NIST Special Publications for How to Execute a
Security Program
Relies on FIPS Publications for Specific Security Standards
NIST
Also Provides Supplemental Security Guidance
and Guidelines not identified by FISMA or FIPS

6. Compliant vs Certified
FIPS
“FIPS compliant” if using the methods and technologies specified
by the FIPS 100 document series
 Usually references cryptography (FIPS 140 compliant)
“FIPS Certified” applies to custom cryptography tested by
third-party laboratories
 Part of the Cryptographic Module Validation Program (CMVP)
 NIST FIPS 140-2 for details
FISMA
Certification and accreditation program
First, system controls are certified to function appropriately
Next, the information system’s security accredited by
review and government authorization
NIST SP 800-37 for details

7. FISMA Compliance
Framework PI
1. Create an Information Systems Inventory
 “The elements used for a common purpose”
(NIST SP 800-18)
1. Categorize Information and Information
Systems by Risk Level
 Maps to impact level & response
(NIST SP 800-18)
1. Select Minimum Security Controls
 Flexible match of security controls to need
(NIST SP 800-53)

8. FISMA Compliance
Framework PII
4. Assess the Effectiveness of the System
 Risk assessment adjusts security needs
(NIST SP 800-30)
5. Maintain a System Security Plan
 Defines a repeatable evaluation process
(NIST SP 800-18)
6. Perform Continuous Monitoring
 Part of the Risk Management Framework (RMF)
(NIST SP 800-137 ,
NIST FAQ Continuous Monitoring)

9. What do I do to
Work for Uncle Sam?
 Any device with software (eg defibrillator) or a
software application at a minimum must:
 Be categorized by risk level (FIPS 199)
 Meet minimum security requirements
(FIPS 200 & NIST SP 800-53)
 An Information System (integrated components for
collecting, storing and processing data or delivering
information or knowledge) must:
 Become FISMA compliant (includes FIPS)
 Although mandated, only 7 of 14
government agencies FISMA compliant

10. Best Practices
 Appoint somebody to own data security
 Ultimate oversight (doesn’t need to be CIO)
 Meet FIPS first (FISMA next – If needed)
 Expend resources based on risk – Some risk is OK. ID
most crucial security controls
 Monitor where it counts – vulnerability scanners, etc.
 Use Integrity testing tools to ID system
changes & potential compromises

11. For More Information
FISMA Resourced
http://csrc.nist.gov/groups/SMA/fisma/
FIPS and NIST Documents
http://csrc.nist.gov/publications/
FISMA Advice
http://www.cliftonlarsonallen.com/Federal-Government/CMS-
Security-Guidelines-Contractors-FISMA-Compliance.aspx
Meeting FISMA Effectively
http://www.informationweek.com/whitepaper/government/security
/six-critical-elements-to-achieving-economies-in-f-
wp1278458862136

12. QUESTIONS?
Kenneth Silsbee
Principal Consultant, Yeoman Security Consutling
ksilsbee@yeomansecurity.com
425-413-3979