When any organization engages in a FISMA audit, their information systems are organized according to FIPS 199 and FIPS 200 to determine security categories and impact levels. Then, those systems are tested against a tailored set of baseline security controls. Depending on whether an organization is a federal agency or a private sector entity, different NIST publications of security controls may apply to the FISMA audit. How can you determine whether your organization should use NIST SP 800-53 or NIST SP 800-171 security controls? Let’s dive into what applies to your organization and what doesn’t.

What is a FISMA Compliance Audit?

First, what is the Federal Information Security Management Act, or FISMA, and what does a FISMA audit accomplish? FISMA is United States legislation intended to protect the security, confidentiality, and integrity of government data systems. A FISMA audit is a test of an organization’s system against the controls outlined in various NIST publications such as NIST SP 800-53, NIST SP 800-171, FIPS 199, and FIPS 200.

FISMA was developed to protect against unauthorized access, use, disclosure, disruption, modification, or destruction of government information and assets. When you choose to engage in a FISMA audit, you can expect to receive a report on their controls which can then be used to certify your organization when an Authorization to Operate (ATO) is signed by a federal agency.

NIST SP 800-53 in a FISMA Audit

NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, is the guideline established for federal agencies to uphold regulatory requirements regarding the management of their information security systems. Federal agencies categorize their security systems according to the NIST compliance levels: low, moderate, and high. NIST SP 800-53 security controls are classified into 18 control families, which help federal agencies determine the organizational impact and risk of their systems:

  1. Access Control
  2. Audit and Accountability
  3. Awareness and Training
  4. Configuration Management
  5. Contingency Planning
  6. Identification and Authentication
  7. Incident Response
  8. Maintenance
  9. Media Protection
  10. Personnel Security
  11. Physical and Environmental Protection
  12. Planning
  13. Program Management
  14. Risk Assessment
  15. Security Assessment and Authorization
  16. System and Communications Protection
  17. System and Information Integrity
  18. System and Services Acquisition

When you engage in a FISMA audit with NIST SP 800-53 controls, you are testing your information security systems against compliance standards for federal agencies in an effort to better your information security and risk management practices.

NIST SP 800-171 in a FISMA Audit

While federal agencies test their systems against NIST SP 800-53 controls, non-federal agencies that work with government entities can comply with FISMA by testing their systems against NIST SP 800-171 security controls. Controlled Unclassified Information, or CUI, is governed by NIST SP 800-171, so any organization handling CUI should use the NIST SP 800-171 standard to ensure their security systems are measuring up to security guidelines. The goal of NIST SP 800-171 is to protect unclassified information that isn’t considered part of federal information systems against unauthorized access, harm, or mishandling. NIST SP 800-171 controls are also categorized into families, but only in 14 categories:

  1. Access Control
  2. Audit and Accountability
  3. Awareness and Training
  4. Configuration Management
  5. Identification and Authentication
  6. Incident Response
  7. Maintenance
  8. Media Protection
  9. Personnel Security
  10. Physical Protection
  11. Risk Assessment
  12. Security Assessment
  13. System and Communications Protection
  14. System and Information Integrity

If your organization handles CUI, engaging in a FISMA audit with NIST 800-171 controls can benefit your information systems, the categorization of your security practices, and opportunities for your organization to conduct businesses with federal agencies.

At KirkpatrickPrice, we mold our audit process to fit your needs, whether that includes testing against NIST 800-53 controls or NIST 800-171 controls in a FISMA audit. With KirkpatrickPrice as your audit partner, you can get help from start to finish to determine what security testing will benefit your compliance goals. Contact us today to get help with your FISMA audit process!

More FISMA Compliance Resources

FISMA is U.S. legislation enacted as part of the Electronic Government Act of 2002, intended to protect government information and assets from unauthorized access, use, disclosure, disruption, modification, or destruction.

To comply with FISMA, organizations must demonstrate that they meet the standards set forth by NIST SP 800 series. Unique to a FISMA audit, organizations can tailor the relevant security control baseline so that it more closely aligns with their mission and business requirements, and environments of operation. This type of compliance helps organizations obtain an ATO, attract more government contracts, provide interested parties with evidence of their FISMA compliance, confirm that their organization appropriately protects government information and assets, and demonstrate a commitment to confidentiality, integrity, and availability.

Checklist to Prepare for a FISMA Audit

A FISMA audit, like all other information security audits, is an initiative that requires organization, commitment, and investment from your team. In order to be successful and reap the benefits of compliance, preparation is crucial. So, how can you prepare for this type of audit?

Start with this checklist of controls before entering into a gap analysis or audit.

  • Access Control
  • Awareness and Training
  • Audit and Accountability
  • Configuration Management
  • Contingency Planning
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Physical and Environmental Protection
  • Personnel Security
  • Risk Assessment
  • System and Services Acquisition
  • System and Communications Protection
  • System and Information Integrity

Interested in pursuing a FISMA audit? KirkpatrickPrice is committed to helping your organization protect government information and assets and tackle this compliance goal.

We offer gap analyses and remediation plans, along with audits based on the NIST SP 800 series. We can help you determine which you need to use, NIST SP 800-53 vs. NIST SP 800-171. When you partner with KirkpatrickPrice, you work with information security auditors who are senior-level experts, holding certifications like CISSP, CISA, CISM, and CRISC. Let’s plan your FISMA audit today.

FISMA and FedRAMP audits are often confused because both involve compliance around government data. But, when you dive into the details of each audit, you’ll recognize the differences are stark. Let’s talk through each of these compliance audits and how you can tell them apart from one another.

What is FISMA?

The Federal Information Security Modernization Act, or FISMA, is U.S. legislation that requires government agencies to meet a standard of processes and system controls that protects the confidentiality, integrity, and availability of their systems. The implementation of these processes must align with the NIST standards such as NIST SP 800-53, NIST SP 800-171,  FIPS 199, and FIPS 200. All government agencies and their contractors are required to implement an information security program that complies with these established NIST standards under FISMA.

What is FedRAMP?

The Federal Risk and Authorization Management Program, or FedRAMP, standardizes the security practices of cloud solutions to comply with information security best practices. The goal of this audit is to provide a standard that cloud service providers (rather than government agencies) can check against to ensure their security practices measure up to governmental security needs. Continuous monitoring and automation are a focus of FedRAMP in an effort to increase cloud security and protection of government data for cloud service providers.

Comparing FISMA and FedRAMP

When you’re deciding which framework best fits your organization, it’s easy to get lost in the security talk. To help you determine whether you should engage in a FISMA or FedRAMP audit, we put together the most important differences between the two audits:

 FISMAFedRAMP
Who Needs ItAll government agencies, departments, and vendorsCloud service providers that host and protect government data
Who Can Perform the AuditAny third party security assessorA certified Third Party Assessment Organization (3PAO)
Number of Controls in Each of the Three Compliance LevelsLow: 124

 

Medium: 261

High: 343

Low: 125

 

Medium: 326

High: 421

Authorization ProcessAnnual reviews of reporting and current information security program“Do Once, Use Many Times” authorization by the government, which is then reviewed by agencies

If you’re a cloud service provider focused on compliance for protecting government data, there’s a chance you’d benefit from both a FISMA and FedRAMP audit. Upon receiving a FISMA or FedRAMP certification, cloud service providers must obtain and maintain an Authority to Operate, or ATO, from a federal agency. Both FISMA and FedRAMP have different ATO variations – JAB P-ATO and FedRAMP ATO – which are required by federal agencies to engage in business with vendors.

These differences and complexities can seem overwhelming, but they don’t have to stop you from starting your compliance journey. At KirkpatrickPrice, we partner with you to ensure the scope of your engagement and audit framework align with your compliance goals. Contact us today, to learn more about FISMA or FedRAMP and how we can help you start your audit journey.

More FISMA Compliance Resources

Independent Audit Verifies Cognigy’s Internal Controls and Processes

Düsseldorf, Germany | San Francisco, USA | Sydney, Australia – Cognigy, a global Conversational AI platform vendor, today announced that it has completed its SOC 2 Type I audit, performed by KirkpatrickPrice. This attestation provides evidence that Cognigy has a strong commitment to security and to delivering high-quality services to its clients by demonstrating that they have designed the necessary internal controls and processes.

A SOC 2 audit provides an independent, third-party validation that a service organization’s information security practices meet industry standards stipulated by the AICPA. During the audit, a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system are tested. The SOC 2 report delivered by KirkpatrickPrice verifies the suitability of the design of Cognigy’s controls to meet the standards for these criteria.

“Achieving the SOC 2 Type I audit validation demonstrates Cognigy’s commitment to providing the most secure software and highest quality services to our customers and partners,” said Sascha Poggemann, COO and co-founder of Cognigy. “Cognigy facilitates millions of web, text, mobile, and voice conversations between Customer Service teams and their clients and employees, and it’s our high standards of managing solutions that they trust to conduct business.”

“The SOC 2 audit is based on the Trust Services Criteria,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “Cognigy delivers trust-based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on Cognigy’s controls.”

About Cognigy

Cognigy is a global leader in conversational AI automation for contact centers. Its low-code platform, Cognigy.AI, enables enterprises to automate customer and employee communications using intelligent voice- and chatbots. With precise, reliable intent recognition, highly flexible dialogs, and seamless integration into backend systems, Cognigy.AI creates superior user experiences and helps companies reduce support costs and improve scalability. Cognigy.AI is available in SaaS and on-premise environments and supports conversations in any language and on any channel, including web, phone, SMS, and mobile apps. Cognigy’s worldwide client portfolio includes Daimler, Bosch, Lufthansa, Salzburg AG and many more. Learn more at cognigy.com.

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over one thousand clients in North America, South America, Asia, Europe, and Australia. The firm has more than a decade of experience in information security by performing assessments, audits, and tests that strengthen information security practices and internal controls. KirkpatrickPrice most commonly performs assessments on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and FERPA frameworks, as well as advanced-level penetration testing. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on LinkedIn, or subscribe to our YouTube channel.

Using KirkpatrickPrice for Audit Readiness

We’ve seen more and more automated solutions and tools enter the market that promise easy and cheap compliance, no commitment, and expert guidance. Don’t be fooled, though! These audit prep solutions and tools are actually only promising one thing: readiness.

Unlike firms with automated solutions and tools that focus solely on audit readiness, KirkpatrickPrice provides a comprehensive audit experience. They cannot provide what you actually need, which is a reputable auditor to perform testing and deliver an audit report. At KirkpatrickPrice, we can take you from start to finish.

First, we’ll begin with readiness and remediation, then move into the audit, and finally, culminate with a high-quality audit report – all with expert auditor guidance along the way. Want to learn more about how KirkpatrickPrice’s readiness services can streamline your audit process? We’re ready to support your team in this compliance journey!

In order to debunk what readiness tools offer versus readiness options through your auditor, we recommend doing your due diligence and asking questions about the tools. Audit prep solutions and tools are only promising one thing: readiness. They cannot provide what you actually need, which is a reputable auditor to perform testing and deliver an audit report. If you’re considering using a solution or tool before engaging with an auditor, we recommend asking the following questions during your research.

1. Does your company qualify as a certified CPA firm?
Did you know that CPA firms are the only organizations that can deliver a SOC report? There’s a reason
why – because CPA firms are held to the highest standard of integrity. To that end, CPA firms that
specialize in information security are the only ones who should be giving advice on how to prepare for
an audit.

2. Does your company go through a peer review?
The AICPA requires CPA firms to be inspected via a peer review to ensure that they have implemented a
practice monitoring program. If the company goes through a peer review, you can find relief in knowing
that you are partnering with a reputable firm.

3. What percentage of your staff has experience in data security?
We’ve seen readiness competitors have as little as 3% of staff with a legitimate background in anything
related to data security. Instead, they have staffs full of developers, engineers, and marketers. Wouldn’t
you rather take advice from someone who has actually performed an audit or been audited?

4. What types of certifications does your staff have?
If someone is giving you advice on how to prepare for an audit, they need to hold active,
industry-recognized certifications. These certifications are a signpost for identifying genuine experts in
data security, IT, cybersecurity, and privacy. Do your due diligence to find out if their staff holds baseline
certifications like Certified Information Systems Security Professional (CISSP), Certified Information
Systems Auditor (CISA), or Certificate of Cloud Security Knowledge (CCSK).

At KirkpatrickPrice, we begin with readiness and remediation, then move into the audit, and finally,
culminate with a high-quality audit report – all with expert, auditor guidance along the way. Want to learn
more about how KirkpatrickPrice’s readiness services can streamline your audit process? We’re ready to
support your team in this compliance journey!

For more information about how KirkpatrickPrice can assist you in meeting your compliance objectives, contact us today.

The Buyer’s Guide to Compliance Tools.

Looking for the right compliance tool is overwhelming. With so many options, it’s hard to know that you’re making the right choice for you. This guide will prepare you for the compliance journey ahead.

Get the Guide