Industry Update: There’s FISMA, and now FedRAMP – What’s the Difference?

by Tom McAndrew, EVP, Professional Services, Coalfire

At a glance, despite sharing similar characteristics, the FISMA and FedRAMP programs are not the same. Differences apply that separate the two, and it is important to review and understand these differences. This perspective identifies the key differences between FISMA and FedRAMP, helps to determine which security program applies to your organization, and prepares you to adapt to one or both programs.

What is FISMA?
FISMA represents a compliance framework and stands for the Federal Information Security Management Act. It was enacted in 2002 and requires all federal agencies, departments, and their contractors to adequately safeguard their information systems and assets.
The National Institute of Standards and Technology, known as NIST, helps develops standards and guidelines for FISMA through “Special Publications” (SP). NIST is considered a guidance and reference tool for many organizations that use the FISMA framework, whether they are required to use it or they voluntarily use it.

What is FedRAMP?
FedRAMP stands for the Federal Risk and Authorization Management Program. It was enacted in December, 2011 and requires all federal organizations that use, or plan to transition to, a cloud environment to implement the FedRAMP program for cloud security controls.

The FedRAMP team combines IT and cloud experts from federal defense agencies, including NIST and the Federal CIO Council. Similar to FISMA, NIST plays a major role by producing “Special Publications.” For private organizations that are not related to federal agencies or departments, FedRAMP is not required. However, the program is strongly recommended for consistency and efficiency.

FISMA and FedRAMP Framework Comparison

The FISMA Framework
FISMA uses multiple documents and standards as part of the information security program, but most specifically Federal Information Processing Standards (FIPS) 199, FIPS 200, and NIST Special Publication 800-53 Rev. 3 as the primary security controls. Federal agencies, departments, and their contractors are required to implement this framework.

  • FIPS 199: Organizations must first determine the security category of their information and information systems, which includes a low, moderate, or high impact ranking. Security categories are based on the potential impact of an event that creates a threat or vulnerability to information and information systems.
  • FIPS 200: Represents the minimum security controls requirements for information and information systems. Organizations are required to cover 17 security-related areas for information and information systems. All minimum security controls must be implemented unless legitimately exempt.
  • NIST SP 800-53 Rev. 3: Represents the tailored set of baseline security controls for information systems and organizations. Baseline controls are chosen from the FIPS 199 and FIPS 200, and the goal of SP 800-53 is to provide a comprehensive overview.

*FISMA requires that all federal departments and agencies report annually on their information security status.

The FedRAMP Framework
FedRAMP was created to build a cohesive risk management program that could be used throughout the entire federal government. For starters, it entails a four-step process for authorizing an organization to host a cloud environment. These initial steps include initiating, assessing, authorizing, and leveraging.

  • Initiating: Agencies or cloud service providers (CSPs) are the initiators for the FedRAMP program by pursuing a security authorization. The FedRAMP requirements are based on NIST SP 800-53 Rev. 3 (the same applies to FISMA).
  • Assessing: Based on the NIST SP 800-53 Rev. 3 requirements, CSPs must hire a third-party assessment organization (3PAO) to perform an independent assessment.
  • Authorizing: Upon completion, the security assessment package will then be forwarded to the FedRAMP Joint Authorization Board (otherwise known as JAB) for review.
  • Leveraging: The CSP will then continue to work with the executive departments and agencies for the Authority to Operate (ATO) permissions.

*The FedRAMP framework has currently been working in “phases” for a unified approach when assessing cloud environments. Most recently, FedRAMP has released a Concept of Operations (CONOPS) that has laid the foundation for security assessments. The entire phase process is expected to be completed by the end of fiscal year 2014.

How are FISMA and FedRAMP different?
If both FISMA and FedRAMP use the same NIST Special Publication, then how are they different programs?

FISMA is required for all federal agencies, departments, and their contractors regardless if they are a cloud service provider or not. FedRAMP is required for all agencies or cloud service providers that currently use, host, or want to host federal information in a cloud environment.
It’s important to remember that FedRAMP does not deploy any new controls, but rather it adds additional controls from the NIST Baseline Controls, which are built from the NIST SP 800-53 Rev 3. In fact, the number of controls for a FedRAMP assessment will contain more than a FISMA assessment. The goal of the NIST SP 800-53 Rev. 3 was to address controls and improvements for the attributes of a cloud environment.

Assessments for FISMA and FedRAMP

What is the difference between a FISMA and FedRAMP assessment?
FISMA assessments can be performed by any third party that conducts security assessments.
However, a 3PAO must be used for FedRAMP assessments. A 3PAO is an acronym for a Third Party Assessment Organization that conducts independent assessments of an agency’s or cloud service provider’s FedRAMP program.

How many controls are expected in a FedRAMP assessment?
For LOW impact levels, the current NIST Baseline Controls are set at 115. For FedRAMP, there will be just one additional control to the assessment.
For MODERATE impact levels, the current NIST Baseline Controls are set at 252. For FedRAMP, there will an additional 45 controls.