Guidance on FISMA compliance for federal grant applications

Originally passed in 2002 and modernized in 2014, the Federal Information Security Management Act (FISMA) requires federal agencies and their subsidiaries to implement information security programs that protect the national and economic interests of the United States. This law has become the de facto standard for information security of federal and federally funded systems. This guidance applies to all federally mandated compliance: FISMA, NIST 800-53, FedRAMP, NIST 800-171, CMMC, or VA Handbook.

It is important for faculty pursuing federally funded contracts and grants that explicitly require FISMA information security controls and compliance to understand that these laws are essential to protecting our research subjects, our patients, our institution, and ourselves during an unprecedented time of ubiquitous cyberattacks.

How-to Guide for FISMA Compliance

Utilize the following Standard Operating Procedures for all applications for federally funded research opportunities that specify FISMA compliance. When done properly, with early engagement and co-development of project strategy and FISMA controls, FISMA certification should add approximately 30-60 days to any project timeline.

Consult Institutional FISMA Authorities

Prior to the submission of any letter of intent (LOI) for a federally funded research opportunity that specifies FISMA compliance, consult with the FISMA Operations office for the School of Medicine by contacting fisma.som@duke.edu. This office formed in May 2022  is designed to facilitate the adherence to FISMA requirements from start to finish.  The FISMA office will triage with Duke security and digital offices as needed.

Budget for FISMA compliance

FISMA applies to specific systems and systems boundaries, not institutions, so the corresponding necessary security controls need to be factored into the application budget.

As a general guide, FISMA certification will add approximately 35% to the technology costs of a given system. This means that, for a system estimate of $100,000, $35,000 should be added and the total budget of $135,000 should be submitted in the grant application (assuming FISMA Moderate compliance). For FISMA Low compliance, the number may be slightly less, but for FISMA High compliance, the number may be significantly larger.

Factor FISMA into the study design

The nature of FISMA controls is such that they can be extremely difficult to add to any existing system as they are often based on basic workflow. This means that FISMA design must be done at the same time as the study design; otherwise, expensive re-work is inevitable.

Complete all review and approvals prior to submission

Any grant application for a funding opportunity requiring FISMA compliance must:

  • Have explicit FISMA entries within the proposed budget and timelines, approved by the appropriate expert resource
  • Add a mandatory information security review prior to final budget authorization and submission

FISMA and the School of Medicine

Dr. Eric Perakslis, Chief Research Technology Strategist for the Duke University School of Medicine, and Dr. Mary Klotman, Dean of the Duke University School of Medicine, discuss the importance of FISMA compliance for School of Medicine researchers

Additional Information about FISMA Compliance

Understanding FISMA

FISMA defines three security objectives for information and information systems: confidentiality, integrity and availability as shown and explained in the table below.

Confidentiality

“Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information…” [44 U.S.C. § 3542]

A loss of confidentiality is the unauthorized disclosure of information

Integrity

“Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity…” [44 U.S.C. § 3542]

A loss of integrity is the unauthorized modification or destruction of information.

Availability

“Ensuring timely and reliable access to and use of information…” [44 U.S.C. § 3542]

A loss of availability is the disruption of access to or use of information or an information system.

FISMA Compliance Levels: Low, Moderate, High

There are three classes of FISMA Compliance level, with Moderate being the most commonly required for federally funded research that takes place outside of national security, military, and combat environments.  These impact levels are of critical importance as they dictate the strength and stringency of the required controls.  Most RFAs specifying FISMA requirements will explicitly specify a FISMA class.  For human subjects research, the default is often FISMA Moderate.

Low Impact

Low impact indicates that a loss of confidentiality, integrity, or availability is expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. Examples of low impact incidents include:

  • A breach that causes a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced;
  • A breach that results in minor damage to organizational assets;
  • A breach that results in minor financial loss; and/or
  • A breach that results in minor harm to individuals.

Moderate Impact

Moderate impact indicates that the loss of confidentiality, integrity, or availability is expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. Examples of incidents with moderate impact include:

  • A breach that causes a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced;
  • A breach that results in significant damage to organizational assets;
  • A breach that results in significant financial loss; and/or
  • A breach that results in significant harm to individuals.

High Impact

High impact indicates the loss of confidentiality, integrity, or availability is expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Examples include:

  • A breach that causes a severe degradation in mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions;
  • A breach that results in major damage to organizational assets;
  • A breach that results in major financial loss; and/or
  • A breach that results in severe or catastrophic harm to individuals, involving loss of life or serious life-threatening injuries.
FISMA Authorization, Compliance, and Controls

Authorization

FISMA authorizations apply to systems, not organizations. This means that an organization that has FISMA-compliant systems is not “certified” to be fully FISMA compliant. Rather, only the specific compliant systems are considered FISMA compliant.

Compliance

FISMA compliance can only be achieved by the implementation and testing of a combination of security controls including procedural and security controls.  Generally, the burden of procedural controls falls on the business, while the security controls are established by the information security and technology teams.

  1. The certifying document for FISMA compliance is called an Authority to Operate (ATO), which is a formal declaration by a Designated Approving Authority (DAA) that authorizes operation of a Business Product and explicitly accepts the risk to operations of the system and project.
  2. Because the ATO is the certifying document, full research activities on any FISMA program should not commence until an ATO is in place. For example: in a clinical research network, the network can be established, and initial operations started prior to obtaining the ATO, but patient data should not enter the system until the ATO is complete.

Controls

Because FISMA controls can be complex and because the nature of cyber threat is constantly evolving, the federal government has established a FISMA pre-certification program for cloud hosting vendors called the Federal Risk and Authorization Management Program (FedRAMP). The utilization of FedRAMP environments is a highly effective way to minimize FISMA risks to any institution.

Need assistance with FISMA compliance?

Contact: fisma.som@duke.edu