January 28, 2023

Volume XIII, Number 28


January 27, 2023

Subscribe to Latest Legal News and Analysis

January 26, 2023

Subscribe to Latest Legal News and Analysis

January 25, 2023

Subscribe to Latest Legal News and Analysis

FISMA Compliance: What Federal Contractors Need to Know about the FISMA CIO Metrics

The Federal Information Security Management Act (FISMA) requires federal agencies and contractors to adopt federal cybersecurity protocols that are adequate to protect sensitive government information. For federal contractors, FISMA compliance can present a substantial burden—as FISMA and its enabling regulations require much more than what would comprise a typical corporate cybersecurity program. 

Fortunately, several forms of guidance are available. However, the not-so-good news is that the available guidance is often both complex and insufficiently specific to truly serve as a step-by-step guide to FISMA compliance. Even so, federal contractors can—and generally should—use this guide to help them comprehensively address their statutory and regulatory cybersecurity obligations. FISMA guidance is designed to help agencies focus on practical security outcomes by measuring the use of rigorous multi-layered security testing, automation of security and compliance controls, and progress in adopting a zero-trust architecture. 

One guidance document in particular that many federal contractors will find useful is the FISMA Chief Information Officer (CIO) Metrics. As the Cybersecurity and Infrastructure Agency (CISA) explains, the CIO Metrics serve as a “supplemental document” to the Guidance on Federal Information Security and Privacy Management Requirements (FISMA Guidance) that the Office of Management and Budget (OMB) publishes each year. While both of these documents are directed toward federal agencies specifically, as federal contractors must generally match the government’s cybersecurity capabilities (when they have access to sensitive government information), these documents provide critical guidance to contractors as well. 

“Maintaining FISMA compliance is critical for federal contractors that have access to sensitive government data. But, while maintaining compliance is important, it is not easy, and contractors must devote the resources necessary to ensure that they are not leaving sensitive data (and themselves) exposed.” – Dr. Nick Oberheiden, Founding Attorney of Oberheiden P.C. 

While the OMB’s FISMA Guidance serves as a primary resource for federal contractors that are subject to FISMA compliance, the FISMA CIO Metrics provide additional insight into how CISA assesses compliance. As such, considering the FISMA CIO Metrics proactively can help federal contractors develop compliance programs that will withstand federal scrutiny. Crucially, however, as CISA notes in the FY 2022 FISMA CIO Metrics, “Achieving the metrics alone will not address every cyber threat, and agencies [and contractors] will need to implement additional defenses to effectively manage their cybersecurity risks.”

In short, the FISMA CIO Metrics are just one of several tools—albeit an important one—that federal contractors can use to develop and assess their FISMA compliance programs. By examining their compliance programs under these metrics, contractors can assess whether their programs are sufficiently comprehensive in terms of their overall scope, and they can identify a variety of specific gaps that may leave government data exposed and might compromise government systems. 

Assessing FISMA Compliance Under the FY 2022 FISMA CIO Metrics

The FY 2022 FISMA CIO Metrics examine FISMA compliance in 10 critical areas. Within each of these critical areas, the metrics address several specific compliance obligations under FISMA and its enabling regulations. Notably, however, while some of the metrics are fairly specific and intuitive (i.e., “Does the agency have a centralized blue team, decentralized blue teams, or no blue team(s)?”), others leave contractors to judge for themselves whether their compliance efforts are sufficient (i.e., “How many threat model exercises were conducted in the last reporting period?”). This is where referencing FISMA, the FISMA regulations, and the other guidance documents that are available come into play. 

Here is a brief overview of the 10 critical areas of compliance under the FY 2022 FISMA CIO Metrics: 

1. Enumerating the Environment

There are three metrics in this area. The first simply involves quantifying the number of unclassified federal information systems within each of the National Institute of Standards and Technology (NIST) FIPS 199 categories (High-Impact, Moderate-Impact, and Low-Impact). After taking an inventory of their systems within each category, the metrics then indicate that contractors should be able to quantify and identify the hardware assets operating each system. Finally, contractors must be able to identify all cloud services and cloud service providers they use to store sensitive government data. 

2. Multifactor Authentication and Encryption 

Regarding multifactor authentication and encryption, the FY 2022 FISMA CIO Metrics assesses a list of 16 quantitative measures that, again, are more informational than prescriptive. However, the metrics then go on to provide information on specific multifactor authentication and encryption requirements, as established by Executive Order 14028

Federal contractors must ensure that they are adequately encrypting sensitive government data at rest and in transit, and they must ensure that they have multifactor authentication protocols consistent with Executive Order 14028’s requirements for each type of system addressed in the list of quantitative measures. For illustrative purposes, some examples of these quantitative measures include: 

  • “How many systems . . . will only establish network connections that are encrypted in transit, where the encrypted network connection guarantees confidentiality, authenticity, and integrity?”

  • “How many of the systems . . . have mandatory PIV access enforced (not optional) for internal users as a required authentication mechanism?”

  • “How many systems (from 2.6) require the user to change their password at periodic intervals, whether or not the credential is known to be compromised?”

3. Logging

Logging is a critical component of FISMA compliance for federal contractors. Not only does FISMA require logging, but effective logging can also help contractors demonstrate compliance with their contracting agencies (and other federal authorities) when necessary. Regarding logging, the FY 2022 FISMA CIO Metrics require self-evaluation of enterprise log management capabilities and denote four possible levels of compliance: Not Effective, Basic, Intermediate, or Advanced. 

4. Critical Software

The FY 2022 FISMA CIO Metrics identifies seven types of critical software security measures that may be necessary to provide adequate security for sensitive government data while acknowledging that all seven types will not be required in all cases. Federal contractors can use this list to identify the security controls or measures they should have, and then they should take the follow-up step of ensuring that all required software applications are functioning as intended. The seven types of critical software security measures listed in the FY 2022 FISMA CIO Metrics are: 

  • Multi-factor authentication that is verifier impersonation-resistant for all users and administrators

  • Fine-grained access control for data and resources

  • Protection for data at rest by encrypting sensitive data

  • Protection for data in transit by using mutual authentication whenever feasible and by encrypting sensitive data communications

  • Data backup and restoration and recovery capabilities

  • Patch management to maintain all critical platforms and software 

  • Logging capabilities to record necessary information about security events

5. Implementing IPv6

Federal agencies and contractors are expected to transition to IPv6. The FY 2022 FISMA CIO Metrics require the identification of hardware assets that are still operating on IPv4, that have both IPv4 and IPV6 capabilities, and that is exclusively operating on IPv6.

6. Workforce

The FY 2022 FISMA CIO Metrics also examines federal agencies’ workforces, specifically focusing on whether agencies have filled various cybersecurity roles, “taking into consideration the level of risk at the federal agency.” Contractors must perform a similar analysis, and they must determine whether it may be necessary to hire any additional full-time employees or engage any additional vendors to effectively protect sensitive government data and maintain FISMA compliance. The metrics indicate that it may be necessary to have one or more individuals assigned to each of the following roles: 

  • Forensics Analyst 

  • Incident Responder 

  • Secure Software Assessor

  • System Testing and Evaluation Specialist 

  • Vulnerability Assessment Analyst 

  • Threat/Warning Analyst 

  • Exploitation Analyst 

7. Ground Truth Testing

In the FY 2022 FISMA CIO Metrics, CISA writes, “Ground truth testing looks to go beyond the assumption that generic vulnerability scanning tools are sufficient for testing system security.” The metrics go on to list eight different types of testing that agencies and contractors may need to perform to comply with FISMA, and then they probe the efficacy of agencies’ and contractors’ efforts regarding each type of test. As indicated in the metrics, necessary types of ground truth testing may include: 

  • Penetration testing using automated tools

  • Penetration testing using manual, expert analysis 

  • Red team exercises 

  • Static and dynamic code analysis 

  • Public paid vulnerability testing

  • Private paid vulnerability testing

  • VISA Risk and Vulnerability Assessments (RVA)

  • CISA Validated Architecture Design Reviews (VADR)

8. Smart Patching

Patching is critical for maintaining FISMA compliance, and the FY 2022 FISMA CIO Metrics specifically emphasize smart patching as the most appropriate means for maintaining effective cybersecurity. The metrics list several questions focused on assessing the breadth and efficacy of agencies’ and contractors’ patch management processes. 

9. Vulnerability Disclosure

As the FY 2022 FISMA CIO Metrics explains, “Public vulnerability disclosure programs, where security researchers and other members of the general public can safely report security issues, are used widely across the Federal Government and many private sector industries. These programs are an invaluable accompaniment to existing internal security programs and operate as a reality check on an organization’s online security posture.” The metrics make clear that agencies (and contractors by extension) are expected to have robust vulnerability disclosure programs. 

10. Resilience 

The final critical area outlined in the FY 2022 FISMA CIO Metrics is resilience. To maintain resilience in compliance with FISMA’s requirements, agencies and contractors should generally have four types of contingency plans: 

  • Incident response plans

  • Disaster recovery plans

  • Business continuity plans

  • Business impact analyses

In addition to ensuring that they have these plans in place, contractors should also assess each plan’s effectiveness to the extent that it has been deployed. The metrics include a list of questions to guide this analysis. 

How Can Federal Contractors Establish (and Maintain) FISMA Compliance? 

Given that this is a high-level overview of just one of several guidance documents, what can—and should—federal contractors do to establish (and maintain) FISMA compliance? To achieve compliance, comprehensiveness is key and government contractors need to work with experienced counsel to ensure that they are effectively implementing custom-tailored FISMA compliance programs that satisfy all pertinent FISMA compliance requirements. 

Oberheiden P.C. © 2023 National Law Review, Volume XII, Number 314

About this Author

Nick Oberheiden Criminal Defense Attorney Oberheiden PC
Federal Criminal Defense Attorney

Dr. Nick Oberheiden focuses his litigation practice on white-collar criminal defense, government investigations, SEC & FCPA enforcement, and commercial litigation. He has defended clients in PPP Loan Fraud cases and COVID-19 investigations. Nick also directs internal corporate investigations and he leads defense teams in whistleblower actions, corporate defense cases, as well as cases involving national security and elected officials.

Clients from more than 45 U.S. states have hired Nick to seek effective protection against government...