Problem solve Get help with specific problems with your technologies, process and projects.

What criteria should I look for in a service provider to help my government agency comply with FISMA

In order to fully protect the agency's information, there must first be a security officer. Security managment expert Mike Rothman gives his advice on the FISMA compliance process.

I am currently in search of service providers that help government agencies meet FISMA requirements. What are the criteria I should look for in a service provider, specifically one to help with compliance?
Unfortunately, there are no silver bullets, so ultimately someone internal to the agency, along with a service provider implementing a structured security program, must accept responsibility for the protection of the agency's information.

Once that person is in place, the next step is figuring out the current state of the information security program....

Does one exist? How effective is it? A service provider can help build an architecture for security, which will involve learning what needs to be protected, where the information is, how various systems gain access to nd use the data and then figuring out the best way to protect the implementation. There are a variety of organizations that can do this.

Concerning implementation, service providers can help to install new gear and manage the infrastructure. One option is a managed security services (MSS) provider, which assists with the operational responsibilities of managing the devices. The MSS market is maturing, so providers should have a long and successful track record of providing pertinent services. Secure data centers, lots of certified staffers and significant financial resources are all important criteria of providers.

Compliance is a totally different issue; it's more about defining where the organization needs to go than the day-to-day work to get there. I always counsel clients to think about security first and let compliance follow. Documenting and substantiating the implemented security controls is enough for most auditors.

More information:

This was last published in April 2008

Dig Deeper on Government information security management

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.