Federal contractors and government agencies that have access to sensitive data or sensitive government information must comply with the cybersecurity requirements established under the Federal Information Security Modernization Act (FISMA) and its enabling regulations. The Cybersecurity and Infrastructure Agency (CISA), National Institute of Standards and Technology (NIST), and various other federal agencies have published guidance as well, and Executive Order 14028 (issued on May 12, 2021) establishes additional requirements for maintaining FISMA compliance. 

In short, establishing and maintaining FISMA compliance is a time-consuming and resource-intensive process, and federal contractors need to ensure compliance on an ongoing basis. To determine whether they are remaining FISMA compliant (and, if they aren’t, to determine what they need to do), federal contractors can (and should) conduct internal FISMA audits. 

“Conducting regular FISMA audits is a key component of an effective FISMA compliance program. Federal contractors that use the audit process to their advantage can effectively manage their risk while keeping sensitive government data secure.” – Dr. Nick Oberheiden, Founding Attorney of Oberheiden P.C.

There are several steps involved in conducting a FISMA audit; and, for an audit to be effective, it must be resoundingly comprehensive. Overlooking systems, data storage facilities, or compliance failures can frustrate the purpose of the audit, and it can leave contractors believing they comply when in fact they are exposing sensitive government information (and themselves) to attack.

The Who, What, When, Where, and Why of FISMA Audits

To conduct comprehensive and effective FISMA audits, there is a lot that federal contractors need to know. Here is some key information about the FISMA audit process: 

Who Should Conduct FISMA Audits? 

The Federal Information Security Modernization Act applies to federal contractors that have access to sensitive government information. As the CISA explains, FISMA requires federal agencies and contractors, “to provide information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems.” The information covered under FISMA includes, but is not limited to, controlled unclassified information.  

While federal contractors that have access to sensitive government information must conduct FISMA audits, they should rely on outside counsel to manage and oversee all aspects of the audit process. Not only is comprehensiveness critical, as we have already discussed, but federal contractors will need to rely on their counsel to evaluate their FISMA compliance programs and identify any compliance failures as well. 

What Is a FISMA Audit? 

Simply put, a FISMA audit is a comprehensive examination of a federal contractor’s efforts to comply with the Federal Information Security Modernization Act and the rules and regulations promulgated thereunder. However, practically speaking, a FISMA audit is far from a simple process. Conducting an effective audit requires an in-depth understanding of the contractor’s IT systems, data storage facilities, and government business, and it requires equal knowledge of the various sources of legal authority that apply. When conducting FISMA audits, federal contractors should generally reference the government’s published guidance as well—including the FISMA metrics that CISA publishes and updates annually. 

When Should Federal Contractors Conduct FISMA Audits? 

Federal contractors should conduct FISMA audits annually—both to assess the continued efficacy of their compliance programs and to document their ongoing efforts to maintain compliance. Contractors should also generally conduct audits when they: (i) modify their information systems, data storage facilities, or operating environments; (ii) execute major deployments of new hardware through which employees will access sensitive government information; (iii) gain access to new types of controlled information; or, (iv) CISA, NIST, or any other federal  agency or authority issues significant updates to their regulations or FISMA guidance. 

Where Should Federal Contractors Perform FISMA Audits? 

The answer to this question is not necessarily as straightforward as it may seem. While federal contractors must audit their own information systems, security controls for federal information systems, and operating environments, they must also examine third-party operating systems and data storage platforms (including managed services platforms and cloud servers). Again, comprehensiveness is key, and this is a theme you will see emphasized repeatedly. When conducting FISMA audits, federal contractors must examine all relevant hardware and software—whether located at their offices, in the field, or in third-party facilities.

Why Are FISMA Audits Necessary for Federal Contractors? 

FISMA audits are necessary for two primary reasons. The first is protecting the security of sensitive government information. Contractors that have access to this information must protect it, and they must generally deploy the same level of protection as the federal government under FISMA. 

Second, federal contractors that fail to comply with FISMA can lose their government business. They can face other penalties as the result of ensuing federal audits and investigations as well. As a result, conducting FISMA audits is a key element of effective risk management for federal contractors. By conducting FISMA audits, federal contractors can ensure that they remain in compliance (and that they remedy any compliance deficiencies promptly), and this will allow them to manage their contract-related cybersecurity risk effectively. 

How Do Federal Contractors Conduct FISMA Audits? 

Now that we’ve covered the who, what, when, where, and why of FISMA audits, we can now focus on how to audit FISMA compliance effectively. Conducting an effective FISMA audit is a multi-step process, and contractors must work with their outside counsel during each step to ensure that their audits lead to accurate conclusions. 

With this in mind, some of the key steps involved in conducting a FISMA audit include: 

• Identifying All Relevant Internal Systems, Software Applications, and Hardware – As even a single compliance failure can expose sensitive government data to malicious intrusions, federal contractors must comprehensively identify all systems, software applications, and hardware that need to be reviewed. This starts with identifying all relevant assets internally. 

• Identifying All Relevant External Systems, Services, and Facilities – When conducting FISMA audits, federal contractors must identify all relevant external systems, services, and facilities as well. Even when federal contractors engage third-party data storage providers and cybersecurity vendors, contractors remain directly responsible for FISMA compliance. 

• Examining the Federal Contractor’s FISMA Compliance Documentation – Federal contractors need to ensure that their compliance documentation remains adequate in light of any changes to their operating environments, their risks, or the applicable FISMA rules or regulations. As new cybersecurity solutions come to market and new threats arise, these may necessitate changes to contractors’ FISMA compliance programs as well. 

• Addressing Any New FISMA Regulations or Guidance – The CISA issues updated FISMA metrics annually, and it is not unusual for new regulations or Executive Orders to alter federal contractors’ FISMA compliance burdens. Contractors must remain up-to-date on all pertinent FISMA compliance requirements and address any material changes as necessary. 

• Evaluating the Contractor’s System Security Plan and Cybersecurity Controls – A System Security Plan (SSP) is a key component of an effective FISMA compliance program, and FISMA requires that federal contractors adopt various cybersecurity controls. Both System Security Plan and Cybersecurity Controls should command particular attention during the FISMA audit process. 

• Assessing the Contractor’s Testing, Enforcement and Monitoring Efforts – Testing (including ground truth testing beyond the use of standard vulnerability scanning tools) is a key component of FISMA compliance as well. FISMA audits should focus on assessing the efficacy of contractors’ testing efforts, and they should thoroughly examine contractors’ enforcement and monitoring efforts as well. 

• Assessing the Contractor’s Log Management Capabilities – To maintain FISMA compliance, federal contractors should have robust log management capabilities. They should have systems in place to log all updates, patches, tests, and threats as a matter of course, and these systems should securely store all logged data in a manner that allows for efficient retrieval when necessary. 

• Reviewing the Contractor’s Certifications and Accreditations – Maintaining FISMA compliance may also require the maintenance of various certifications and accreditations. When conducting FISMA audits, contractors should ensure that they have all necessary certifications and accreditations, and they should confirm that all requisite certificates remain active. 

• Examining the Contractor’s Smart Patch Management Processes – FISMA audits should also examine federal contractors’ smart patch management processes. As the CISA notes, “Operations can be impacted by software patches that create unintended consequences to interoperability. However, unpatched systems can leave vulnerabilities exposed that can be exploited by adversaries.” As a result, when conducting audits, federal contractors must ensure not only that they have implemented all necessary patches for all relevant applications, but also that these patches have not inadvertently created new vulnerabilities. 

• Examining the Contractor’s Resilience – Finally, to ensure that their operations and secure environments are resilient, federal contractors should have documented incident response, disaster recovery, business continuity, and business impact analysis plans in place. As part of the FISMA audit process, federal contractors should review these plans; and, to the extent that they have implemented any of these plans since their most-recent audit, they should examine these plans’ efficacy in real-world scenarios. 

This list is far from comprehensive. Establishing and maintaining FISMA compliance is not easy, and assessing FISMA compliance involves a similar level of difficulty. But, with the right approach, federal contractors can use the audit process to help them manage FISMA compliance effectively, and they can use their audit documentation to demonstrate compliance to their contracting agency (or other federal authorities) when necessary.