Federal Information Security Management Act (FISMA)

Defining Federal Information Security Management Act (FISMA)

The Federation Information Security Modernization Act (FISMA) was established in 2002 as part of the Electronic Government Act and remains one of the most important legislations in data security. The act officially recognizes the importance of an effective IT security infrastructure in the national and financial security of the United States of America. Through FISMA, federal agencies are obliged to create and implement programs that safeguard information security through managing the CIA triad of confidentiality, integrity, and availability within agency data. The law requires FISMA to be observed by all members of federal agencies as well as contractors and any other person who is involved in governmental data operations. This clause includes any private company in a contractual collaboration with the federal government. Federal agencies such as the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) are part of an ongoing collaboration, which serves to frequently discuss and update the guidelines of FISMA that create the most effective information security and risk management programs and practices. FISMA essentially ensures that confidential data and information remains protected across all electronic government portals, platforms and processes.[1]

The Federal Information Security Modernization Act of 2014 amends the Federal Information Security Management Act of 2002 (FISMA) provides several modifications that modernize Federal security practices to address evolving security concerns. These changes result in less overall reporting, strengthens the use of continuous monitoring in systems, increased focus on the agencies for compliance, and reporting that is more focused on the issues caused by security incidents. FISMA, along with the Paperwork Reduction Act of 1995 and the Information Technology Management Reform Act of 1996 (Clinger-Cohen Act), explicitly emphasizes a risk-based policy for cost-effective security. In support of and reinforcing this legislation, the Office of Management and Budget (OMB) through Circular A-130, “Managing Federal Information as a Strategic Resource,”1 requires executive agencies within the federal government to:

  • Plan for security
  • Ensure that appropriate officials are assigned security responsibility
  • Periodically review the security controls in their systems
  • Authorize system processing prior to operations and, periodically, thereafter

These management responsibilities presume that responsible agency officials understand the risks and other factors that could adversely affect their missions. Moreover, these officials must understand the current status of their security programs and the security controls planned or in place to protect their information and systems in order to make informed judgments and investments that appropriately mitigate risk to an acceptable level. The ultimate objective is to conduct the day-to-day operations of the agency and to accomplish the agency's stated missions with adequate security, or security commensurate with risk, including the magnitude of harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information.[2]

FISMA Requirements[3]

The top FISMA requirements include:

  • Information System Inventory: Every federal agency or contractor working with the government must keep an inventory of all the information systems utilized within the organization. In addition, the organization must identify the integrations between these information systems and other systems within their network.
  • Risk Categorization: Organizations must categorize their information and information systems in order of risk to ensure that sensitive information and the systems that use it are given the highest level of security. FIPS 199 “Standards for Security Categorization of Federal Information and Information Systems” defines a range of risk levels within which organizations can place their various information systems.
  • System Security Plan: FISMA requires agencies to create a security plan which is regularly maintained and kept up to date. The plan should cover things like the security controls implemented within the organization, security policies, and a timetable for the introduction of further controls.
  • Security Controls: NIST SP 800-53 outlines an extensive catalog of suggested security controls for FISMA compliance. FISMA does not require an agency to implement every single control; instead, they are instructed to implement the controls that are relevant to their organization and systems. Once the appropriate controls are selected and the security requirements have been satisfied, the organizations must document the selected controls in their system security plan.
  • Risk Assessments: Risk assessments are a key element of FISMA’s information security requirements. NIST SP 800-30 offers some guidance on how agencies should conduct risk assessments. According to the NIST guidelines, risk assessments should be three-tiered to identify security risks at the organizational level, the business process level, and the information system level.
  • Certification and Accreditation: FISMA requires program officials and agency heads to conduct annual security reviews to ensure risks are kept to a minimum level. Agencies can achieve FISMA Certification and Accreditation (C&A) through a four-phased process which includes initiation and planning, certification, accreditation, and continuous monitoring.

FISMA Requirements
source: Varonis

Who Needs to Follow FISMA Compliance[4]

Originally, FISMA only applied to federal agencies. Over time, the law has evolved to cover state agencies that manage federal programs (i.e., Medicare, Medicaid, unemployment insurance, etc.) as well as companies with contracts to work with federal agencies. That means private sector companies that do business with federal agencies must adhere to the same information security guidelines as the federal agency.

Implementation of FISMA[5]

In accordance with FISMA, NIST is responsible for developing standards, guidelines, and associated methods and techniques for providing adequate information security for all agency operations and assets, excluding national security systems. NIST works closely with federal agencies to improve their understanding and implementation of FISMA to protect their information and information systems and publishes standards and guidelines which provide the foundation for strong information security programs at agencies. NIST performs its statutory responsibilities through the Computer Security Division of the Information Technology Laboratory.[4] NIST develops standards, metrics, tests, and validation programs to promote, measure, and validate the security in information systems and services. NIST hosts the following:

  • FISMA implementation project
  • Information Security Automation Program (ISAP)
  • National Vulnerability Database (NVD) – the U.S. government content repository for ISAP and Security Content Automation Protocol (SCAP). NVD is the U.S. government repository of standards based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance (e.g., FISMA)

FISMA ComplianceRrequirements[6]

FISMA defines a framework for managing information security that must be followed by all information systems used or operated by a U.S. federal government agency in the executive or legislative branches and by third-party vendors who work on behalf of a federal agency in those branches. The framework is further defined by the National Institute of Standards and Technology (NIST) who have published standards and guidelines such as FIPS 199 Standards for Security Categorization of Federal Information and Information Systems, FIPS 200 Minimum Security Requirements for Federal Information and Information Systems and the NIST 800 series. There are seven main FISMA requirements:

  • Inventory of information systems: FISMA requires agencies and third-party vendors maintain an inventory of their information systems and an identification of any interfaces between each system and other systems or networks including those not operated by or under control of the agency. NIST SP 800-18, Revision 1, Guide for Developing Security Plans for Federal Information Systems provides guidance on determining how to group information systems and their boundaries.
  • Risk categorization: All sensitive information and information systems are categorized based on their required information security according to a range of risk levels. FIPS 199 and NIST SP 800-60 Guide for Mapping Types of Information and Information Systems to Security Categories provide categorization guidelines. The key thing to understand about FISMA's risk assessment methodology is that it uses the high water mark for its impact rating. This means if a system scores low risk for confidentiality and integrity but high risk for availability the impact level would be high risk.
  • Security controls: FISMA requires federal information systems meet minimum security requirements as defined in FIPS 200. NIST SP 800-53 Recommended Security Controls for Federal Information Systems outlines appropriate security controls and assurance requirements. Agencies are not required to implement every control, only those they deem necessary. Once controls are selected and minimum security requirements satisfied, agencies must document selected controls in their system security plan.
  • Risk assessments: The combination of FIPS 200 and NIST SP 800-53 form the foundational level of all federal agencies' risk management frameworks. A cybersecurity risk assessment determines if the current security controls are sufficient and if any additional controls are needed. As with any risk assessment, it starts by identifying potential cyber threats, cyber attacks, vulnerabilities, exploits and other common attack vectors then maps to controls designed to mitigate them. Risk is determined by calculating the likelihood and impact of a given security incident, taking into account existing controls. The end result is a risk assessment with calculated risks for all events and information about whether the risk is to be accepted or mitigated.
  • System security plan: NIST SP-800-18 introduced the concept of a system security plan, a living document requiring periodic review, modification, plans of action and milestones for implementing security controls. Procedures should be developed and outlined to review the plan, keep it current and to follow the progress on any planned security controls. The system security plan is a major input into the security certification and accreditation process. During the process, the system security plan is analyzed, updated and then accepted with a certification agent confirming the security controls described are consistent with FIPS 199 and FIPS 200.
  • Certification and accreditation: Once a risk assessment and system security plan are complete, FISMA requires program officials and agency heads to conduct annual security reviews to ensure security controls are sufficient and risk is sufficiently mitigated. FISMA certification and accreditation is a four-phase process that includes initiation and planning, certification, accreditation, and continuous monitoring. NIST SP 800-37 Guide for the Security Certification and Accreditation of Federal Information Systems outlines this process in detail. By accrediting an information system, an agency official accepts responsibility for the security of the system and is fully accountable for any adverse impacts of a data breach, data leak, unauthorized access or other security incidents.
  • Continuous monitoring: All FISMA accredited systems are required to monitor their selected set of security controls, with documentation updated to reflect changes and modifications to the system. Large changes should trigger an updated risk assessment and may need to be recertified. Continuous monitoring activities include configuration management, control of information system components, security impact analysis of changes to the system (e.g. security ratings), ongoing assessment of security controls and status reporting.

Benefits and Penalties of FISMA Compliance and Non Compliance

Benefits of Compliance
FISMA compliance has increased the security of sensitive federal information, protecting national security interests, and continuous monitoring provides agencies with information about how to maintain their security and eliminate vulnerabilities in a cost and time effective manner. For private-sector companies who do business with federal agencies FISMA compliance can provide a leg up over other organizations when vying for federal contracts. The added benefit is that by meeting FISMA compliance requirements companies are improving their organization's data protection, preventing data breaches and improving incident response planning.

Penalties for Non Compliance
For government agencies and their third-party vendors, failing to comply with FISMA could result in censure by congress, a reduction in federal funding, reputational damage, government hearings, loss of future contracts and poor cybersecurity infrastructure.

FISMA Compliance Best Practices[7]

At a more granular level, companies that implement these best practice steps will move closer to achieving FISMA compliance:

  • Begin by categorizing at its more granular level the information that needs protecting. Starting at the most basic level lets you build security layers up as you add measures related to subsequent layers of the corporation.
  • Identify appropriate baseline controls that will provide the minimum necessary standard of security.

Use a risk assessment procedure to finetune the security controls, based on how the enterprise uses, stores, manages or transmits that specific data.

  • Document the controls as they evolve. Identifying the options chosen throughout the process provides a map that can be used to explain and clarify the controls-selection process.
  • Implement the controls throughout the system. In many companies, this process becomes an ‘implement-test-revise ” loop as practical considerations further refine the security strategy.
  • Review the agency-level data risks that don’t appear at the granular level. Understanding how data management affects the company’s mission can help identify where additional security measures are needed.
  • Authorize the security system for whole-enterprise implementation. Again, this often requires the ‘implement-test-revise” loop before a truly effective system is in place.
  • Implement monitoring practices to maintain vigilance over the security system as it interacts with workers, contractors, and other agencies.

See Also


  1. What is the Federal Information Security Management Act (FISMA) ForcePoint
  2. What is the Federal Information Security Modernization Act of 2014 NIST
  3. What are the top FISMA Requirements Digital Guardian
  4. Who Needs to Follow FISMA Compliance? Varonis
  5. How is FISMA Implemented? Wikipedia
  6. What are the FISMA compliance requirements? Upguard
  7. What are FISMA compliance best practices? Tech Werxe