Q

What criteria should I look for in a service provider to help my government agency comply with FISMA

In order to fully protect the agency's information, there must first be a security officer. Security managment expert Mike Rothman gives his advice on the FISMA compliance process.

I am currently in search of service providers that help government agencies meet FISMA requirements. What are the criteria I should look for in a service provider, specifically one to help with compliance?
Unfortunately, there are no silver bullets, so ultimately someone internal to the agency, along with a service provider implementing a structured security program, must accept responsibility for the protection of the agency's information.

Once that person is in place, the next step is figuring out the current state of the information security program. Does one exist? How effective is it? A service provider can help build an architecture for security, which will involve learning what needs to be protected, where the information is, how various systems gain access to nd use the data and then figuring out the best way to protect the implementation. There are a variety of...

organizations that can do this.

Concerning implementation, service providers can help to install new gear and manage the infrastructure. One option is a managed security services (MSS) provider, which assists with the operational responsibilities of managing the devices. The MSS market is maturing, so providers should have a long and successful track record of providing pertinent services. Secure data centers, lots of certified staffers and significant financial resources are all important criteria of providers.

Compliance is a totally different issue; it's more about defining where the organization needs to go than the day-to-day work to get there. I always counsel clients to think about security first and let compliance follow. Documenting and substantiating the implemented security controls is enough for most auditors.

More information:

This was first published in April 2008

Dig deeper on Government IT Security Management

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close