If you are a subcontractor to a prime defense contractor like Lockheed Martin, Northrop Grumman, Raytheon, Boeing, General Dynamics and others, you need to know about FIPS 199 and why doing a FIPS impact assessment is important to your DFARS 252.204-7102 compliance. The links in the above prime contractors list, will take you to their respective cybersecurity requirements for continued contracting with them as of January 1, 2018 and beyond.
What is FIPS 199?
Figure 1: Federal Information Security Management Act is the law behind securing your Controlled Unclassified Information.
FIPS 199 is the result of a law passed in 2002 designed to recognize “the importance of information security to the economic and national security interests of the United States.” FIPS 199 is an essential part of the Federal Information Security Management Act of 2002 (FISMA).
FISMA tasked NIST, the National Institute of Standards and Technology with responsibilities for standards and guidelines, including the development of:
- Standards to be used by all federal agencies to categorize all information and information systems collected or maintained by or on behalf of each agency based on the objectives of providing appropriate levels of information security according to a range of risk levels;
- Guidelines recommending the types of information and information systems to be included in each category; and
- Minimum information security requirements (i.e., management, operational, and technical controls), for information and information systems in each such category.
Alvaka Networks can assist your company with your FIPS 199 impact assessment as you move towards complying with DFARS 252.204-7012.
Why is FIPS 199 important to you and your company?
Complying with DFARS 252.204-7012 can seem like a daunting task if you are just setting out to accomplish this goal. And yes, it is a lot of work. But a FIPS 199 impact assessment can speed you along toward your goal by assuring you don’t take on a lot of unnecessary work.
A FIPS 199 impact assessment by Alvaka Networks categorizes your information and information systems, so you properly identify which components of your operations require cybersecurity protections under DFARS 252.204-7012. In order to comply, you will need to satisfy the 110 controls identified in NIST Special Publication 800-171 Protecting Unclassified Information in Nonfederal Information Systems and Organizations. Yes, that sounds intimidating, and it will likely be a lot of work for you. But again, a FIPS 199 impact assessment will drastically limit the amount of information and information systems subject to the applicable controls.
Figure 3 NIST cybersecurity standards are the basis for the 110 controls you must accommodate for DFARS 252.204-7012 compliance.
How do you go about doing a FIPS 199 impact assessment?
It is easy. Just contact Alvaka Networks via the form on this page, or give us a phone call.
Getting a FIPS 199 impact assessment is perhaps the easiest and most rewarding aspect of complying with DFARS 252.204-7012. It is rewarding because you will learn so much about your new journey during this process, and you will be able to get an accurate perspective about what your compliance project entails. Once you get your arms around your project, it will make a lot more sense and you will soon be speeding along.
If you are feeling some anxiety or dread from your compliance burden, give Alvaka Networks a call at 949-428-5000 (extension 315), and we will likely have you through this first phase within a week.
What is next after you do your FIPS 199 impact assessment?
After your FIPS 199 assessment, it is recommended that you do a NIST 800-171 gap assessment. This is a bit more work than the FIPS 199 impact assessment, but the gap assessment will identify for you what you have to do to meet the 110 controls of NIST 800-171. It is likely that you already have many cybersecurity practices in place at your company to comply with NIST 800-171. After you complete the gap assessment, you can then start focusing on your SSP (System Security Plan) and Plan of Action and Milestones (POA&M). Once you get to this point, you will really be rolling along fast…but we will get into those elements later. Right now, let’s just get step one done: your FIPS 199 impact assessment.
Give Alvaka Networks a call at 949-428-5000 (extension 315), and we will get you started right away!!!
Smoke testing is a term used to describe the testing process for servers after patches are applied. 
Estimating an average time for patching servers and PCs can be a bit tricky. It can vary from one month to the next, depending upon the number and complexity of the patches released by your software vendors. You must consider all versions of operating systems and have a complete inventory of all your application software to do this job correctly. Our experience has shown that manual patching of systems takes on average of about 1.5 hours each.
This is a basic cost calculator for you to compute your typical monthly cost for patching your servers, PCs, laptops, tablets and associated application software. It also forms the basis for you to begin calculating your Return on Investment for software patching, or for comparison with alternatives to the manual process of patching operating systems and application software—such as Patch Management as a Service, also known as Vulnerability Management as a Service.