consider three athletes standing at the face of a river all three trying to get to the other side depending on their skills their gear and their timelines all three are likely to take different approaches one may choose to Simply Swim the other may choose to sail and the third may consider Ro at the end of the day everybody has the same goal though everybody wants to get to the other side similarly when dealing with government compliance everybody shares a common goal to do business with the American federal government and Mist fed ramp and fsma represent three ways to do just that this is much easier said than done of course the world of compliance was tricky enough to begin with but if you want to do business with the single largest buyer of goods and services in the world the US government you'll have to learn everything there is to know about these three Frameworks so today let's do just that let's Deep dive in list fedra and fsma understand what they are how they're different and what they haven't got at the end of the video we'll also talk about how you can get compliant with all three of these Frameworks let's start with fsma fsma stands for the federal information security management Act fisma is a federal law that was introduced in 2002 and has at its core one single aim it requires federal agencies to develop document and Implement an information security and protection program that is take information security seriously fsma applies to three types of Institutions federal government agencies one state eight agencies that administer Federal programs like Medicare stent Lo Etc two and three all private sector firms that support Federal programs sell services to the federal government or receive Federal grant money simply put if you're dealing in federal government information you're under the federal information security management act in order for private companies to work with a federal agency they need an atto or an authorization to operate an atto is granted after a five-step process we'll go to now one identifying which risk you're taking on which is often a product that the federal agency you want to work with two you will build out a system security and privacy plan followed by three an assessment and four a post assessment review of your spp once you're clear you'll get an AO and move on to step five which is building a plan of actions and Milestones to ensure you're ready for any future risks and changes it is important to note here that fisma is a one toone Arrangement if you work with one Federal agency you need to get an from them however if you expand and work with another agency you will need a brand new ATO from that new agency and so on and so for third fourth fifth Federal agency and Beyond fsma's specific requirements come from three documents the federal information processing standard 199 the federal information processing standard 200 and Mist 8503 which we'll get to in just a second a FMA assessment can be performed directly by the agency that's granting you the ATO or by f recognized third party assessment organization next up is fed Ram fed Ram stands for the federal risk and authorization Management program take a trip with me the year is 2011 and the federal government is trying really hard to go Cloud first fedra made this easier by presenting a centralized security program for cloud providers seeking to do business with the federal government fed ramp spells out standards for security assessment continuous monitoring and authorization processes and essentially acts as a seal of approved for crowd service providers also known as csps fedramp applies to a broad swwa of companies including any cloud service providers so that includes any SAS companies bass companies and as companies it also applies to contractors subcontractors and organizations that provides services to csps that work with federal information unlike FSM though a Fed ramp Ado does not need to be acquired individually for each agency you get a fedo once and as a cloud service provider if you are now allowed to do business with any federal agency that convenience though does come at a cost because of its far-reaching scope fed Ram certifications are far more rigorous than fbes the final piece of this puzzle is nist you've heard of nist 853 before we've mentioned in this video we've done a bunch of videos about it and you may have heard of it through external PS in any case let's do a quick crash course n stands for the National Institute of Standards and technology and is the body responsible for developing the 853 standard along with several other popular Frameworks like nist 8171 n CSF and more nist produces standards and risk assessment Frameworks for a wide range of subjects including cyber security and is the backbone for a range of government compliance Frameworks including fsma fedramp defar and more a hyper simplified metaphor to understand this relationship between mist fsma and fedramp is to consider fsma and fedramp is books at least 853 as the dictionary you are asked to get pH and fed Ram compliant and when you want to understand what that entails at a control level you refer to n 850 if you would like to know more about n50 there's a video in the top right corner now where we explain the framework in incredible depth and it'll answer any questions you have so what are the differences and similarities between fsma fedramp and let's tackle the differences first starting with who needs to be compliant fsma is meant for all federal agencies and companies that work with these federal agencies feder ramp is more specific it's meant only for thirdparty cloud service providers that host federal information in 85 is compulsory for all operators of critical infrastructure that includes federal agencies and private companies that work with these federal agencies the second difference is who verifies the certification fsma atos are required from each individual Federal Agency company Works in fed ramp atos in comparison are a onetime effort and must be performed by a Fed ramp approved third party assessment organization also known as a 3PO n 853 technically doesn't have a certification but external Auditors can assess your compliance against its many many controls the final difference is probably the most nuanced what they are fsma is a federal law fedramp is a program and mist is a nonregulatory agency that offers guidelines and standards in relation to cyber security like this state 53 so what are the similarities between fsma fedramp and the first is their focus all three are fundamentally aimed at improving and ensuring the security of information systems with a specific focus on the American federan C the second similarity is what they allow you to do like we mentioned earlier all three of these Frameworks are ways to be able to do business with the federal government by standardizing cyber security processes and postures for companies the last similarity is their influence while these three Frameworks are meant primarily for federal agencies and private companies that work with these federal agencies they are making massively popular in their own right in the private sector private companies will often get compliant with oneof or all of these three Frameworks of their own accord simply because of the depth and breadth of security they provide the focus on constant visibility along with the Adaptive nature of these Frameworks means that organizations will also have to shift the way they get compliant from the old paperwork human assisted in manual approach to more digitized automated and integrated method of plans if if you're looking to get compliant there's a couple of ways that spr to get help the first way is with a free Mist 8503 controls checklist that you can find in the description and in the comment bin below and the second is sprinto sprinto helps thousands of companies leverage compliance automation across several Frameworks like m53 CSR fedra sof2 ISO 270001 and so much more so that companies can get compliant faster easier and more inexpensively continuous monitoring via sprinto centralized dashboard means that you stay compliant to all year round not just during an audit cycle to know more visit sprint.com a book a demo with one of our cyber Security Experts using the link below and as always if you have any questions feel free to leave them in the comment section we'll get back to you as soon as possible if you find this video useful remember to like And subscribe or better yet share the video with somebody that you think might find it useful to