FISMA Assessments – The Federal Information Security Management Act (FISMA) requires federal agencies to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency.

A key aspect of FISMA includes an annual assessment of an agency’s progress in meeting these requirements. K2 IT Audit has substantial experience in performing independent FISMA audits for agency Office of Inspector General’s (OIG). These audits focus on determining management’s effectiveness in implementing and maintaining an agency-wide security management program that includes:

• Development of Detailed IT Policies and Procedures

• A Comprehensive Risk Management Process

• A Comprehensive Certification and Accreditation Process

• Effective Oversight of Contractors and Contractor Systems

• An Agency-Wide Privacy Program

• Effective Configuration Management Policies and Procedures

Additionally, below is a FISMA Compliance Checklist:

Maintain Information System Inventory - Inventory must include an identification of the interfaces between each system and all other systems or networks.

Categorize Information Systems - Information systems should be categorized according to range of risk levels.

Maintain a System Security Plan - Develop and maintain a system security plan, which is a living document that requires periodic review, modifications, action plans, and milestones for implementing security controls.

Utilize Security Controls - Apply baseline security controls to closely fit the mission requirements and operational environments. The controls must be documented in the System Security Plan.

Certification and Accreditation - System controls must be certified to be functioning properly. Based on the results, the information system is accredited.

Conduct Risk Assessments - Assess and validate security controls to determine if any additional controls are needed to protect the organization’s operations, assets, individuals, and other organizations.

Continuous Monitoring - Information systems are required to monitor a select set of security controls. Activities include security impact analyses, ongoing assessment of security controls and status reporting.

Please contact us for more information about our FISMA assessment services.