GovDataHosting's FISMA compliant cloud services comply with NIST and DoD RMF methodologies. A&A process authorization involves a rigorous inspection process in which our cloud policies, procedures, controls, and contingency planning are reviewed.
FISMA lays groundwork for federal agencies to evaluate and understand the security of their information systems, applicable security controls, and security threats, and aids in resolving any deficiencies.
For each information system operated by or for a federal agency, a FISMA compliant cloud documentation package must be generated, including:
Information on security policies and procedures
The likelihood and impact of all possible threats
Evaluation and periodic testing of security policy efficiency
Evaluation of technical, management, and operational security controls
Security awareness training and expected rules of behavior for end-users
Procedures for reporting and responding to incidents
A process for addressing any reported deficiencies
Inventory of software and hardware assets
Contingency plans to ensure continuity of operations in the face of a disaster
Policies and procedures for detecting, tracking, and resolving vulnerabilities
Periodic risk assessments
What Is Required?
In preparing a FISMA A&A accreditation package, the following documents are typically required:
System Risk Categorization (FIPS 199)
System Boundary Diagram
Network Diagram and Data Flow Diagram
Configuration Management Plan (CMP)
System Security Plan (SSP)
System Contingency Plan (CP)
Testing & Evaluation (ST&E)
Incident Response Plan (ICP)
Plan of Actions and Milestones (POAM)
On average, a GovDataHosting team of two consultants experienced in A&A can help our cloud customers achieve accreditation in 3-6 months, though more time may be required depending on a system's risk categorization.
Contact us todayto find out how our team can assist with the proper documentation to ensure a completely FISMA compliant cloud solution.