Compliance, otherwise known as the act of adhering to a set of rules and regulations, is mandatory in many industries, including the business of electronics recycling and data destruction. Regulations in this industry are especially important because most of the information that businesses seek to destroy is confidential or otherwise sensitive. An example of this type of sensitive information is government records received from the federal government. Companies and businesses that exchange in federal data must ensure the security of the data they handle. One way is remaining compliant with federal information regulations such as FISMA. Before analyzing FISMA compliance, however, we must take a close look at what exactly FISMA is.
What Is FISMA?
FISMA stands for the “Federal Information Security Management Act.” This law, which was passed in the United States in 2002, dictates that federal agencies must introduce plans to safeguard sensitive information. The law has been strengthened and amended over the years with one of the most recent changes having been made in 2014. That revised version of FISMA requires the federal Office of Management and Budget, among other things, to amend or review OMB A-130 to “eliminate inefficient and wasteful reporting.” The 2014 FISMA also authorizes the Department of Homeland Security (DHS) to offer assistance to other federal agencies upon DHS’s request.
FISMA compliance requirements are established by FISMA and the National Institute of Standards and Technology (NIST).
E-Waste & Data Destruction FISMA Requirements
Although only federal agencies were initially required to follow FISMA compliance requirements, state agencies that oversee federal programs (Medicaid, Medicare, etc.) and organizations that hold contracts to collaborate with federal agencies are now also subject to these rules. To better understand what’s required by this law, let’s take a look at the 4 main segments that make up the Federal Information Act.
Information System Inventory
This involves keeping an inventory of all systems and their integrations. At first glance, this may seem like an extremely dull and pointless task, but it can ultimately help your business remain organized. An inventory or other similar list can help prevent errors pertaining to inconsistencies.
To categorize risk and security requirements, agencies typically utilize FIPS 199 documents. These documents outline standards for placing data and information systems into different categories according to various degrees of concern over integrity and confidentiality becoming at-risk (low, moderate, or high).
Security Controls (NIST 800-53)
NIST is a non-regulatory agency of the U.S. Commerce Department that researches and sets standards for all federal agencies. NIST 800-53 was originally formed to offer guidance on how to properly protect individual’s and organization’s private information. In total, 20 security controls that are key to FISMA compliance are outlined under NIST 800-53.
Certification & Accreditation
One of FISMA’s most important requirements for each agency is to carry out annual security reviews. Federal agencies need to prove they are capable of introducing, maintaining, and monitoring systems.
Other major requirements for FISMA compliance include conducting risk assessments (in accordance with the Department of Defense’s Risk Management Framework) and establishing a security plan, which must be routinely updated.
It’s also important to note that many people falsely believe the myth that deleting data is less expensive than completely destroying it and just as safe. In fact, deleting is not a permanent solution for eliminating data. Although deleting the information is free, research shows that the cost of data destruction is significantly lower than the average cost of a data breach. According to a 2019 report from IBM, the average total cost of a data breach is $3.92 million, and 25,575 records are exposed or compromised on average following a breach.
Speak To An Experienced E-Waste Company
Reach out to the experts at e-End in Frederick, Maryland for more information on FISMA compliance requirements. We have reached the National Association for Information Destruction’s ® AAA requirements in specialized destruction services such as hard drives and SSDs, making us one of the top e-waste companies in the Virginia, Maryland and Pennsylvania region. Our services include secure data destruction, e-recycling, equipment and device destruction and IT asset disposition. We are also validated by the highest electronic certifications, so that you can ensure that you remain compliant with all laws, rules and regulations.
At e-End, we know that failure to meet compliance requirements can subject organizations to hefty fines and/or imprisonment, especially if sensitive data is disclosed. Aside from FISMA, our other compliance services include HIPAA, GLB, SOX, FACTA, ITAR, COPPA and ePHI.
Whether you are a government or non-government agency, our team of data security specialists is prepared to help you remain in compliance with these laws. Call e-End today at (240) 529-1010 or contact us online to learn more about our e-waste and data destruction services, which include degaussing tapes, hard drives and access cards.