alphaspirit - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

How can companies avoid failing the annual FISMA audit?

The annual FISMA audit is designed to ensure companies need to have consistent security standards. Here's how to prepare for the audits.

My agency has a history of failing its annual FISMA audit, despite efforts to bolster our programs. How can we...

better prepare for the audits and be sure to pass this time?

The Federal Information Security Management Act of 2002 (FISMA) was an early attempt to apply consistent security standards across federal government IT organizations. It uses a risk-based approach to protect information and information systems run by the federal government. FISMA received renewed attention in the wake of recent major government security incidents, such as the compromise of background investigation records at the Office of Personnel Management.

Agencies that consistently fail their FISMA audits should direct a significant amount of attention to their next audit cycle. The public's attention is justifiably focused on federal information security issues and agencies that run afoul of FISMA requirements are likely to find their leaders testifying on C-SPAN and receiving unwanted attention.

Of course, the most important way to prepare for a FISMA audit is to ensure the agency has a robust set of security controls that adequately manage risk. Assuming that that is the case, the next important step is to ensure auditors can easily verify the risk assessment process and the presence and effectiveness of security controls. Maintain an audit trail that clearly demonstrates the controls that are in place and how they are incorporated in the routine security activities. The more an agency can organize the documentation of its work, the better. If you clearly present evidence to an auditor that you are satisfying control objectives, they won't need to dig for evidence.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Check out our FISMA compliance handbook, learn about FISMA's role in the evolution to continuous monitoring and use these four key steps in planning for a successful security audit.

This was last published in October 2015

Dig Deeper on IT security audits and audit frameworks