Cyber changes come to FEMA's NFIP
On the 27th of February FEMA announced the Fiscal Year 2024 Financial Assistance/Subsidy Arrangement for private property insurers interested in participating in the National Flood Insurance Program’s (NFIP) Write Your Own (WYO) Program. This announcement contains specific requirements regarding cybersecurity, which need to be attained by private insurance companies participating in NFIP’s WYO.
FEMA will now require NFIP-participating insurance providers to have the following measures and certifications in-place:
- Business Continuity Plan which identifies threats and risks to NIFP-related business; and, how the company will maintain operations in the event of a disaster affecting operations.
- System Security Plan (SSP) that describes system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems, including; plans of action that describe how unimplemented security requirements will be met, and how any planned mitigations will be implemented. This SSP must be prepared in accordance with either the National Institute of Standards and Technology (NIST) Special Publication (SP) 800–171, or another comparable standard deemed acceptable by FEMA.
- Implementation of security requirements as specified in NIST (SP) 800-171 – and validated by a third-party assessment organization. Or, companies may alternatively provide certification for the attainment of: ISO/IEC 27001, Cybersecurity Maturity Model Certification (CMMC) 2.0, or Service and Organizational Controls (SOC) 2.
- Plan of Actions and Milestones document describing how any unimplemented security requirements of NIST SP 800–171, rev. 2 will be met, and how any planned mitigations will be implemented, as part of the SSP.
This is an important change to FEMA’s NFIP partnership offering and bears an urgent notification to private insurance companies intending to offer NFIP policies. The attainment of these measures is an important step in enhancing a company’s cybersecurity posture, and providing overall protection to the National Flood Insurance Program.
As a CMMC Registered Provider, and an authorized C3PAO, CyberNINES can help, contact us today