Prior to the E-Government Act, there was no formal guidance about how electronic government services and processes were managed. Nested within, a second act called the Federal Information Security Management Act (FISMA) required all federal government agencies and contractors to develop, document, and implement an information security program. Enacted in 2002, the law remains in effect today.
What are Some of the Top FISMA Requirements?
Under FISMA, all federal agencies and their contractors are required to:
- Categorize the risk to their information systems and data so that the most sensitive assets are given the highest possible level of security.
- Create and implement a formal, well-documented system security plan.
- Implement the relevant security and privacy controls referenced in NIST SP 800-53, including, but not limited to, encryption, personnel security, access control, contingency planning, incident response, and maintenance. The determination of the NIST controls is based on the Federal Agency’s or Contractor’s obligation to meet certain standard requirements.
- Conduct periodic risk assessments, crucial for identifying and managing risks using the aforementioned relevant controls.
- Continuously monitor information systems to detect any abnormalities.
- Complete annual security reviews to maintain their certifications and accreditation
Should an agency—or a federal contractor—fail in any of the above, they may be subject to penalties. For agencies, this could be reduced federal funding, a good talking-to from congress or harm to their reputation. For contractors, it could mean the end of their days doing business with the federal government.
What Does FISMA Mean for the Colocation Data Center?
First and foremost, one of the top FISMA requirements is something called an information systems inventory. This is an inventory of every IT system used within the federal agency to include any information systems that are owned, operated, and managed by a private contractor. It also includes any systems that the federal agency or its contractors might be integrated with. As such, any servers living in a government data center—on-premises, in the cloud or otherwise—need to be accounted for in this inventory.
Colocation data centers operate both in the IT and real estate spheres. While they house information systems and deliver the power, cooling, and connectivity that sustain them, they do not own or operate those systems. However, as this provided infrastructure directly supports their customers’ systems, it is likewise entered into the same inventory. As such, colocation facility must ensure that it possesses the infrastructure and expertise to support a federal agency or contractor’s FISMA compliance program.
Some of that infrastructure includes the following:
- Physical access controls
- Surveillance and monitoring
- On-site security staff
- Secure enclosures with heightened access control for highly sensitive government IT loads
- Other facility security controls that may be necessary
Should Federal Entities and Contractors Prefer Colocation to an On-Premises Data Center?
Assuming the colocation data center can support the organization’s FISMA compliance program, the answer is absolutely. Leaving the security and infrastructure responsibilities to a colocation provider eases the burden of maintaining certain controls that lie outside an agency’s or contractor’s core mission, allowing it to focus on the IT side of FISMA compliance.
Colocation data center providers handle multiple levels of security: physical access controls, secure enclosures, surveillance, and on-site security staff. Further, robust and complex infrastructure is a colocation provider’s core competency: security, power, cooling, redundancy, connectivity, and routine maintenance. Robust business continuity options, utilized for backup and disaster relief purposes, also play into the customer’s compliance program. The facility’s amenities, from lighting to restrooms to break rooms, are likewise provided for.
Owning and operating a data center is extraordinarily resource intensive, particularly when it comes to expansion. Colocation data centers are designed for scalability so can provide on-demand increases in space, power and cooling at a predictable operating expense. By contrast, expansion of an on-premises data center can require everything from land purchases and permitting to new licenses, construction, equipment installation, all of which come out of the taxpayers’ wallets.
Given these significant benefits, it usually makes more sense for government agencies and their contractors at every level—federal, state, and local—to house their information systems in a colocation data center.
Schedule a data center tour today and learn how Sabey Data Centers support FISMA compliance.