Posted on Oct 14, 2020
The Federal Information Security Management Act (FISMA) is a United States federal law passed in 2002 that defines an information security framework for government agencies and their contractors. Recognizing the importance of information security to economic and national security interests, FISMA requires federal agencies to construct and implement a cost-effective, risk-based information security program to protect sensitive government information and assets.
FISMA has since been amended by the Federal Information Security Modernization Act (known as FISMA2014 or FISMA Reform) to keep the framework in alignment with current information security threats.
The National Institute of Technology and Standards (NIST)—which launched the FISMA implementation project in 2003—is responsible for developing and implementing FISMA security requirements, as well as determining which security controls and risk assessment practices are necessary for each agency.
Annual reviews of agency information security programs are conducted by Inspectors General, Chief Information Officers (CIOs), and other program officials. The results are relayed to the Office of Management and Budget (OMB), which prepares an annual FISMA compliance report to Congress.
FISMA, OMB, and NIST standards and guidelines require government agencies to employ a continuous monitoring approach to verify the effectiveness of their security controls between audits. In addition to tracking changes in security posture, real-time security data allows officials to initiate timely remediation and make cost-effective, risk-based decisions around how to operate their information systems.
The information security framework defined by FISMA must be followed by all executive and legislative branch agencies, any businesses under contract with those agencies, as well as state agencies operating federal programs.
The seven key FISMA compliance requirements are:
In order to meet the requirements mentioned above, agencies and contractors should be security-first in all of their operations. This means classifying and encrypting data as it is created so that the security of critical information is prioritized, and the impact of a potential breach is reduced. Agencies and contractors should also track the steps taken to achieve FISMA compliance in order to remain audit-ready. Comprehensive training is critical to ensuring that employees understand their role in protecting their organization from cyber threats.
In addition to safeguarding the sensitive data that lives on government networks, FISMA guidelines provide organizations with a cost-effective roadmap for shoring up their security posture and remediating security issues. Private companies competing to win government contracts also gain a competitive advantage by demonstrating FISMA compliance.
The consequences of FISMA non-compliance include a loss of federal funding for government contractors, censure by congress, and reputational damage.
Vendors can be called to testify before congress in the aftermath of a data breach to assess the cause and scope of the damage, especially when classified information relating to national security is involved. In the most severe cases, contractors can be censured from being awarded future government contracts.
While government agencies and contractors can take a snapshot of their compliance posture by conducting internal audits, they may drift in and out of compliance during the intervals between these periodic assessments. SecurityScorecard helps organizations track their compliance posture on an ongoing basis with our compliance module, which reveals issues that pertain to specific regulatory standards.
Users can also automate third-party compliance to immediately and continually assess the risk posture of any vendor in their portfolio. With this visibility, government agencies and their contractors can prevent predictable data breaches and data loss.
Vendor management is the process an organization utilizes to assess and manage a third- or fourth-party vendor. Learn how SecurityScorecard can help.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 20 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.