The Federal Information Security Management Act (FISMA) is a United States federal law passed in 2002 that defines an information security framework for government agencies and their contractors. Recognizing the importance of information security to economic and national security interests, FISMA requires federal agencies to construct and implement a cost-effective, risk-based information security program to protect sensitive government information and assets.
FISMA has since been amended by the Federal Information Security Modernization Act (known as FISMA2014 or FISMA Reform) to keep the framework in alignment with current information security threats.
How is FISMA implemented?
The National Institute of Technology and Standards (NIST)—which launched the FISMA implementation project in 2003—is responsible for developing and implementing FISMA security requirements, as well as determining which security controls and risk assessment practices are necessary for each agency.
Annual reviews of agency information security programs are conducted by Inspectors General, Chief Information Officers (CIOs), and other program officials. The results are relayed to the Office of Management and Budget (OMB), which prepares an annual FISMA compliance report to Congress.
FISMA, OMB, and NIST standards and guidelines require government agencies to employ a continuous monitoring approach to verify the effectiveness of their security controls between audits. In addition to tracking changes in security posture, real-time security data allows officials to initiate timely remediation and make cost-effective, risk-based decisions around how to operate their information systems.
What are FISMA compliance requirements?
The information security framework defined by FISMA must be followed by all executive and legislative branch agencies, any businesses under contract with those agencies, as well as state agencies operating federal programs.
The seven key FISMA compliance requirements are:
- Information system inventory. Federal agencies and their contractors must inventory all of the information systems in use within their network.
- Risk categorization. Information and information systems must be categorized by risk to ensure that the most sensitive or vulnerable data receives the highest level of protection.
- System security plan. Agencies must create a security plan which is continually updated to maintain adequate security controls and policies over time.
- Security controls. In addition to implementing the minimum security controls outlined by NIST, agencies must implement whichever controls from the NIST 800-53 catalog are deemed necessary for each information system.
- Risk assessments. When changes are made to their systems, agencies must conduct risk assessments to determine if their current security controls are adequate, and if further controls are needed.
- Certification and accreditation. In addition to conducting risk assessments, agency heads and program officials are required to conduct annual security reviews. The FISMA certification and accreditation process has four phases: initiation and planning, certification, accreditation, and continuous monitoring.
Achieving FISMA compliance
In order to meet the requirements mentioned above, agencies and contractors should be security-first in all of their operations. This means classifying and encrypting data as it is created so that the security of critical information is prioritized, and the impact of a potential breach is reduced. Agencies and contractors should also track the steps taken to achieve FISMA compliance in order to remain audit-ready. Comprehensive training is critical to ensuring that employees understand their role in protecting their organization from cyber threats.
In addition to safeguarding the sensitive data that lives on government networks, FISMA guidelines provide organizations with a cost-effective roadmap for shoring up their security posture and remediating security issues. Private companies competing to win government contracts also gain a competitive advantage by demonstrating FISMA compliance.
Consequences of non-compliance
The consequences of FISMA non-compliance include a loss of federal funding for government contractors, censure by congress, and reputational damage.
Vendors can be called to testify before congress in the aftermath of a data breach to assess the cause and scope of the damage, especially when classified information relating to national security is involved. In the most severe cases, contractors can be censured from being awarded future government contracts.
How SecurityScorecard can help
While government agencies and contractors can take a snapshot of their compliance posture by conducting internal audits, they may drift in and out of compliance during the intervals between these periodic assessments. SecurityScorecard helps organizations track their compliance posture on an ongoing basis with our compliance module, which reveals issues that pertain to specific regulatory standards.
Users can also automate third-party compliance to immediately and continually assess the risk posture of any vendor in their portfolio. With this visibility, government agencies and their contractors can prevent predictable data breaches and data loss.
