CMMC and FISMA 

You probably understand that FISMA is a piece of legislation that defines cybersecurity standards throughout the federal government. But what is FISMA, exactly, and ( what is its relationship with CMMC? Read on to discover the answers to these questions. 

About CMMC

The Cybersecurity Maturity Model Certification is a framework developed by the Department of Defense to bolster cybersecurity standards throughout the Defense Industrial Base (DIB) and ensure that defense contractors safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). 

CMMC applies to all defense contractors and subcontractors. So, if you are part of the DIB and want to keep being awarded DoD contracts, then CMMC compliance should be your top priority. 

We understand that CMMC can be overwhelming, so we have put together some resources to help defense contractors make sense of it: 

1. CMMC for Small Businesses: a Starter Kit 
2. What CMMC Level Do I Need? 
3. What Is Controlled Unclassified Information (CUI), Exactly? 

 

 

 

What Is FISMA?

FISMA stands for Federal Information Security Modernization Act, a federal law that establishes the Department of Homeland Security’s (DHS) role in: 

1. Administering the implementation of information security policies for Federal Executive Branch civilian agencies  
2. Overseeing agencies’ compliance with those policies 
3. Assisting the Office of Management and Budget (OMB) in developing those policies 

FISMA requires federal agencies need to provide information security protections appropriate to the risk and magnitude of the potential harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of: 

1. information collected/maintained by or on behalf of an agency. 
2. Information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency. 

FISMA applies to federal agencies but also to contractors or other sources that provide information security for the information and information systems that support the operations and assets of federal agencies. 

For the purposes of FISMA, a Federal Information System is defined as “an  information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency.” 

Just like CMMC, the FISMA framework also uses maturity levels to evaluate an organization’s information security standards. In the case of FISMA, there are five levels organized as follows: 

1. Ad-hoc. Policies, procedures, and strategies are not formalized; activities are performed in an ad-hoc, reactive manner. 
2. Defined. Policies, procedures, and strategies are formalized and documented but not consistently implemented.  
3. Consistently Implemented. Policies, procedures, and strategies are consistently implemented, but quantitative and qualitative effectiveness measures are lacking.  
4. Managed and measurable. Quantitative and qualitative measures on the effectiveness of policies, procedures, and strategies are collected across the organization and used to assess them and make necessary changes.  
5. Optimized. Policies, procedures, and strategies are fully institutionalized, repeatable, self-generating, consistently implemented, and regularly updated based on a changing threat and technology landscape and business/mission needs. 

One of the main components of the FISMA framework is NIST SP 800-53, a set of 1189 controls distributed along  20 control families. 

FISMA requires Inspectors General (IG) or an independent external auditor, as determined by the IG, to perform an annual independent evaluation of their agency’s information security programs and practices to determine the maturity and effectiveness of those programs. 

CMMC vs FISMA: Similarities and Differences

Although you probably have noticed some superficial similarities between CMMC and FISMA (such as the use of maturity levels and the relationship with a NIST standard), there are some important differences too. 

The main distinction between these two frameworks is that CMMC is based on NIST SP 800–171 and its supplement, NIST SP-800 172, while the main component of FISMA is NIST SP 800-53. 

NIST SP 800-171 and NIST SP 800-172 outline the required security standards and practices for non-federal organizations that handle Controlled Unclassified Information (CUI) on their networks. 

NIST SP 800-53, on the other hand, is the information security standard for federal information systems, agencies, and associated government contractors.

So, for example, when a contractor provides IT services to a federal agency under an outsourcing agreement, their system is considered a federal system and FISMA standards apply. 

Information systems used internally by DoD contractors, on the other hand, are considered non-federal systems and must comply with CMMC standards. 

Another important difference is that CMMC focuses on protecting CUI, while FISMA aims to regulate the implementation of information security policies. Therefore, it’s fair to say that the scope of FISMA is broader compared to CMMC. 

Need To Achieve CMMC Compliance? We Are Here To Help

Whether it’s CMMC, NIST SP 800-171, DFARS, or ITAR, we help organizations achieve compliance with all applicable cybersecurity regulations at any level so that they can win and maintain Department of Defense (DoD) contracts.  

Brea Networks, LLC is a fully Registered Provider Organization (RPO) and is a Microsoft partner with full Microsoft GCC High licensing and migration solutions.  

Contact our CMMC Registered Practitioners today by clicking here.  

Brea Networks, LLC / CMMCCompliance.us  

451 W. Lambert Rd Suite 214  

Brea, CA 92821  

Tel: (714) 592-0063