What Is the Difference Between FedRAMP and FISMA, Anyway?

When discussing security at a data center or in a cloud environment, it’s easy to get lost in the swirling acronyms. SSAE, SOC, PCI-DSS, HIPAA, FISMA, FedRAMP, it’s a lot. When speaking about government infrastructure needs, FedRAMP and FISMA get tossed around like a hot a potato. Throw in FISMA High or Moderate and it can get confusing fast for the uninitiated. Time to clear the air. Let’s clarify what FedRAMP and FISMA really are.

First, FISMA. FISMA is the Federal Information Security Management Act. It was enacted in 2002 to strengthen information security for the information and information systems of each federal agency. The National Institute of Standards and Technology (NIST) developed standards and guidelines that must be adhered to by the executive and legislative branches of the US federal government and the contractors and other organizations that support them. For a data center, the security of the physical infrastructure is assessed and monitored on a continuous basis. The Low, Moderate, and High attribution to FISMA compliance represents the risk impact – more controls are tested for for each level of risk. So for instance, a FISMA High data center would have been assessed for 343 controls, while a FISMA Moderate facility would only be assessed for 261. High provides the strictest level of controls to ensure protection of more critical or sensitive data that would have a severe or catastrophic effect on an organization should it be lost. For most uses, FISMA Moderate or even Low will be adequate, though. I won’t delve too deep into that here.

FedRAMP is the Federal Risk and Authorization Management Program. It was developed in 2011 to support the “Cloud-first” mandate and give better guidance for security in the cloud than was provided under FISMA. Once a cloud is authorized as FedRAMP certified, then all government agencies (and the organizations that support them) can use one of these authorized solutions with the confidence that a high standard of security measures are met. As the gov says, “do once, use many times.” As with FISMA, FedRAMP also requires ongoing assessments to ensure continuous adherence to the standards.

From the FedRAMP.gov website:

“FedRAMP authorizes cloud systems in a three step process:

  1. Security Assessment: The security assessment process uses a standardized set of requirements in accordance with FISMA using a baseline set of NIST 800-53 controls to grant security authorizations.
  2. Leveraging and Authorization:  Federal agencies view security authorization packages in the FedRAMP repository and leverage the security authorization packages to grant a security authorization at their own agency.
  3. Ongoing Assessment & Authorization:  Once an authorization is granted, ongoing assessment and authorization activities must be completed to maintain the security authorization.”

This is definitely a high-level overview, but one I hope that helps you to crystallize the differences and similarities between FedRAMP and FISMA. If you find yourself or one of your partners in need of a highly secure data center or cloud solution, give us a call – we’d be happy to help.

Related Posts