What is FISMA?

The Federal Information Security Management Act (FISMA) was passed as part of the  E-Government Act (Public Law 107-347) by Congress in 2002.

FISMA mandates that every agency within the federal government create, document, and execute holistic programs that embed information security policies that safeguard sensitive information from data breaches.

Additionally, federal agencies are obligated to ensure that these policies are observed and implemented by any contractor, sub-contractor, or other service providers part of the agency’s supply chain.

Overview of FISMA

The most recent version of FISMA, passed in 2014, emphasizes the development of risk-based policies for cost-effective security. Put more precisely, FISMA requires government agencies to: 

  • Plan an information security program
  • Develop information security roles and responsibilities 
  • Authorize system processing before operations
  • Routinely review their security controls and system authorizations to ensure the efficacy of controls

FISMA is enforced by the Department of Homeland Security (DHS). Their role is to work with the Office of Management and Budget (OMB) to develop and administer the information security policies utilized by federal agencies.

They must also monitor federal agencies to ensure compliance with those policies over time. Non-compliance can cost the organization federal funding, valuable contracts, reputational damage, and potential legal hearings- not to mention the cost of damage resulting from a security incident.

What are the requirements for FISMA certification?

FISMA standards mandate that federal agencies conduct annual security reviews to demonstrate adherence to FISMA compliance requirements and report their results to the OMB.

In this security accreditation, agencies must provide documentation that demonstrates compliance with the following FISMA requirements:

  • Information System Inventory: agencies must create and maintain an inventory of all information systems and integrations.
  • Risk Categorization: agencies must identify and categorize their risks based on severity per best practices defined in FIPS 199- a NIST publication standard designed for categorising data and information systems.
  • System Security Plan (SSP): agencies must create and document a security plan designed for federal information systems and data protection and update that plan regularly.
  • Data Security Controls: agencies must implement information and cybersecurity controls, defined in NIST 800-53 (National Institute of Standards and Technology), to achieve FISMA compliance.
  • Risk Assessments: agencies must routinely conduct risk assessments as outlined in the Risk Management Framework (RMF) whenever their information systems incur significant changes.

Who does FISMA affect?

FISMA affects federal agencies, their contractors, sub-contractors, and other service providers that provide information security services or support the operations and data assets of an agency.

How to Pass a FISMA Audit

In addition to their annual certification, agencies and members of their supply chain may also choose to undergo a FISMA audit to:

  • Obtain authorization to operate (ATO)
  • Increase competitiveness or secure federal funding
  • Provide potential clients with proof of FISMA compliance 
  • Otherwise confirm that they adequately protect government assets and are committed to integrity, confidentiality, and availability.

In the event of a FISMA audit, organizations are required to demonstrate their implementation of NIST SP 800-series standards. 

Standards in the series may or may not apply to an organization depending on its business scope and security risk levels. The audit can be tailored to the relevant security control baseline for that particular organization.

The following list provides the baseline components of a FISMA audit. However, the individual controls being audited will vary from organization to organization

  • Access Controls
  • Security Awareness and Training
  • Auditing and Accountability
  • Configuration Management
  • Planning for Contingencies
  • Authentication and Identification
  • Disaster Recovery
  • Incident Response
  • Systems Maintenance
  • Continuous Monitoring
  • Digital Asset Protection
  • Environmental and Physical Protection
  • Security among Personnel
  • Risk Assessment
  • Service and System Acquisition
  • Communications Protection
  • System and Government Information Integrity

Key Takeaways

  • FISMA 2014 mandates that every federal agency create, document, and execute holistic information security policies to safeguard their sensitive data.
  • FISMA is enforced by the Department of Homeland Security (DHS) and the Office of Management and Budget (OMB).
  • FISMA affects federal agencies, their contractors, sub-contractors, or other service providers that support the agency.
  • FISMA mandates that federal agencies conduct yearly reviews to demonstrate compliance and report their results to the OMB.
  • Organizations may also choose to undergo a FISMA audit for various reasons to verify adherence to NIST SP 800 security standards.