FISMA vs. FedRAMP and NIST: Making Sense of Government Compliance Standards

Government compliance standards can be confusing. Making matters worse, many of them overlap, and organizations aren’t certain which standards apply to them.

Even if your organization does not currently operate in the public sector, it is important to understand the fundamentals of FISMA, FedRAMP, and NIST. The U.S. government is the single largest buyer of goods and services in the world, and they may require that you follow one of these standards to do business with them.  Grant funding may also be dependent on following government compliance standards. Historically, any information security standards that the federal government implements will ultimately trickle down into state and local laws, as well as industry frameworks.


Simplify your compliance and security process with out automated alerts and monitoring


What is FISMA?

FISMA was first enacted in 2002 as the Federal Information Security Management Act, then updated in 2014 to the Federal Information Security Modernization Act. FISMA applies to:

  • All federal government agencies
  • State agencies that administer federal programs, such as Medicare/Medicaid and student loans.
  • All private-sector firms that support federal programs, sell services to the federal government, or receive federal grant money.

FISMA is built around the idea of a ‘system’, so singular in nature, and for each system you operate, either within a federal agency or in support of a federal agency, the system has to meet the standards of what is called an SSP ‘system security plan’. That plan could differ from system to systems which is why it is singular. So, if you operate one system for the department of the interior and do research on another system for the FDA you would need two different ATOs (Authorization to Operate) because the SSPs may (will) differ based on the type of system and data.

How do the SSPs get produced? In some cases, you may develop your own SSP and it will need to be blessed by the certifying agent prior to receiving an ATO. In other cases, the system will have a defined SSP based on an RFP. In either case, the base framework for building the SSP is the NIST 800-53 framework, we start with classifying a system based on the data confidentiality as High, Moderate, or Low. We then take the 800-53 controls that apply to the classification and determine which are applicable and then not applicable to that particular system by using the RMF (risk management framework) and build our SSP, we then put together a (SAP), system assessment plan, and perform an assessment in order to make sure our system meets our plan, out of that comes a SAR (system assessment report). Once these are performed then it can go for an ATO. An Authorization to Operate (ATO) is a formal declaration by a Designated Approving Authority (DAA) that authorizes the operation of a Business Product and explicitly accepts the risk to agency operations. The ATO is signed after a Certification Agent (CA) certifies that the system has met and passed all requirements to become operational.

A FISMA assessment may be performed directly by the agency granting the ATO or a third-party assessment organization (3PAO).

What is FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP) was designed to support the federal government’s “cloud-first” initiative by making it easier for federal agencies to contract with cloud providers. Like FISMA, the controls outlined in FedRAMP are based on NIST 800-53.

As such it is very similar to FISMA in process. The SSP, SAP, and SAR all are the same as in the FISMA process.  Unlike FISMA, which requires organizations to seek an ATO from each individual federal agency, a FedRAMP ATO qualifies a cloud service provider to do business with any federal agency. FISMA = one to one, FedRAMP = many to one.  Because FedRAMP ATOs are more far-reaching, the certification process is far more rigorous and must also be performed by a certified third-party assessment organization (3PAO). Finally, FedRAMP is more specific than FISMA. FISMA applies to information systems security in general, while FedRAMP applies only to cloud service providers and federal agencies that plan to use cloud service providers.


NIST compliance made easy.


What is NIST?

The National Institute of Standards and Technology (NIST) is a non-regulatory agency that is part of the United States Department of Commerce. Its mission is “To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.”

Among many other responsibilities, NIST creates and promotes information security standards for federal government compliance. These standards are outlined in NIST’s SP-800 series of publications, including NIST SP 800-53 (also known as NIST 800-53), which outlines security controls for federal information systems and organizations and documents security controls for all federal information systems, except those designed for national security. Federal agencies must comply with NIST guidelines and standards within one year of their publication.

The controls outlined in NIST 800-53 are the basis for FISMA as well as FedRAMP, DFARS, CJIS, HIPAA, FedRAMP +, FedRAMP.

Still confused about which government compliance requirement(s) to apply for your organization or clients?  Our compliance team can help.


Tracy Fox

Sign up for our Newsletter

Receive weekly emails for the latest cybersecurity news

Expand your team with Foresite

Enterprise-level cybersecurity and risk management for mid-sized businesses. Prioritize your security tasks and reduce the complexity of cybersecurity.