What is the Federal Information Security Management Act (FISMA)?
The Federal Information Security Management Act (FISMA) is a United States federal law enacted as Title III of the E-Government Act of 2002. It requires federal agencies to implement information security programs to ensure their information and IT systems’ confidentiality, integrity, and availability, including those provided or managed by other agencies or contractors.
The scope of FISMA has increased to include state agencies administering federal programs. FISMA requirements also apply to any private businesses that are involved in a contractual relationship with the United States government.
It requires agencies to develop and implement a program to secure all parts of their operations and assets, including their network as well as those provided or managed by others (whether other agencies, contractors, or other sources).
Who must comply with FISMA?
- All U.S. federal government agencies
- State agencies administering federal programs such as unemployment insurance, student loans, Medicare and Medicaid
- Any private sector company doing contracted work for the U.S. government
What is the FISMA Framework?
FISMA defines a framework for managing information security that must be followed for all information systems used or operated by a U.S. federal government agency in the executive or legislative branches, or by a contractor or other organization on behalf of a federal agency in those branches. This framework is further defined by the standards and guidelines developed by NIST.
- Inventory of information systems – Take an inventory of the information systems controlled by each agency
- Categorize information and information systems according to risk level
- Appropriate security controls and assurance requirements – Ensure you have the appropriate security controls as set out in the NIST Special Publication 800-53
- Risk assessment – Validate your security controls and determine if any additional controls are needed
- System security plan – Execute and frequently review plans for implementing security controls
- Certification and accreditation – The system must be reviewed and certified as functioning according to the appropriate standards
- Continuous monitoring – Monitor and update to reflect ongoing changes
What are the Penaties if FISMA is not compliated?
Government agencies and related private companies can face several penalties for failing to stay compliant with FISMA, including:
- Being censured by Congress
- Reduction in federal funding
- Damage to reputation
- Increased government oversight