FISMA Hosting

Stemming from its foundational expertise, Sherlock provides current and potential partners the benefits of its highly secure Sherlock Cloud infrastructure, as it meticulously follows stringent guidelines and policies required to maintain FISMA‐certified status to safeguard the sensitive Protected Health Information (PHI) and Personally Identifiable Information (PII) data. The cloud infrastructure was developed in accordance with hundreds of National Institute of Standards and Technology (NIST) controls governing system access, information control, and management processes; Sherlock Cloud also addressed federal Cloud First requirements.


The Federal Information Security Management Act of 2002 (FISMA) is a highly significant regulation governing federal data security standards and guidelines that federal agencies are required to meet. These FISMA established standards and guidelines aimed to reduce the security risk to federal information and data while simultaneously managing federal spending on information security. The scope of FISMA has since increased to include state agencies administering federal programs (e.g., Medicare). FISMA requirements also apply to any private businesses that are involved in a contractual relationship with the government. It is a component of the larger E-Government Act of 2002 that was developed to improve the management of electronic government services and processes.

Summary of FISMA Requirements

    • Requires each federal agency to develop, document, and implement an agency-wide program to provide information security (includes contractors)
    • Comprehensive framework to protect government information, operations and assets against natural or man-made threats
    • Requires annual reviews (i.e., audits) of information security programs to keep risks below specified acceptable levels
    • NIST is responsible for developing standards and guidelines for providing adequate information security (NIST and FIPS standards)
    • Defines minimum security requirements for information systems
    • 17 families of controls, including over 300 controls and control “enhancements”
    • Lifecycle documentation including but not limited to Security Plan, Risk Assessment Plan, Contingency Plan, Incident Response Plan
    • Strict Government oversight and notification

Example Security Controls to meet FISMA Requirements

    • System Maintenance
    • Central log collection and review of system logs
    • Intrusion Detection Systems (IDS) monitoring
    • Network Firewall segmentation (defense in depth strategy)
    • Strong Authentication: two-factor authentication
    • Protection of data-at-rest through encryption
    • Full back-up and archive, including off-site copy
    • Hardened system configurations

    • Use of Jump-boxes to isolate systems and limit system exposure
    • Encrypted tunnels for data-in-transit outside of private network (SSH, RDP, SSL)
    • Web Proxies and filters to limit web access
    • Limit use of email (i.e., block outbound email)
    • Data Use Agreements signed prior to applicable access to systems and data
    • Host-based firewalls
    • Secure (encrypted tunnel) data upload tool
    • Malicious software protection (Anti-Virus/malware SW)

Working with FISMA data requires an organization to undergo a highly comprehensive certification process to demonstrate that it has implemented the appropriate controls, protections and safeguards. While the certification is arduous, it must be noted that a FIMSA-certified environment requires continual monitoring, maintenance, funding and manpower to sustain.