Federal Information Security Modernization Act (FISMA)

What is FISMA?

FISMA is the acronym for the Federal Information Security Management Act. This United States (U.S.) legislation sets guidelines and security standards to protect government information and operations. These must be met to adhere to FISMA compliance requirements. 

The impetus for FISMA compliance was to reduce the security risk to federal information and data while managing federal spending on information security. To direct, measure, and ensure compliance, standards are provided for federal agencies to use to develop, document, and implement consistent information security programs. 

The requirements for and oversight of FISMA compliance are managed by the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB).  

• NIST is responsible for developing and maintaining standards and guidelines for FISMA compliance, including minimum security requirements. 
• OMB gathers data from annual reviews conducted by agency officials (e.g., chief information officers and inspector generals) and uses this information to assist with oversight responsibilities and to create annual reports to submit to Congress.  
  
  Since the law’s enactment, FISMA compliance has been enhanced. Now, the OMB requires agencies to make real-time system information available to auditors to enable continuous monitoring of FISMA-regulated information systems. 

FISMA must be observed by all members of federal agencies, contractors, and any other person involved in governmental data operations; this clause includes any private company in a contractual collaboration with the federal government. 

An overview of FISMA 

FISMA compliance was created as part of the E-Government Act, passed by Congress in 2002. FISMA became the first federal law to directly state that agencies were not only expected to leverage digital technology as part of their operations but also implement security measures to protect sensitive data. 

Since 2002, FISMA’s scope has widened to apply to state agencies that administer federal programs or private businesses and service providers that have a contract with the U.S. government. Failure to meet FISMA compliance requirements can result in reduced federal funding or other penalties. 

In 2014, Congress amended FISMA to address the more advanced threats and technologies. The 2014 update: 

• Clarified the authority of the OMB with regard to oversight of federal security agencies and their IT security practices, directing OMB to revise policies regarding notification of individuals affected by federal agency data breaches 
• Codified the role of the Department of Homeland Security (DHS) in administering the implementation of information security policies for federal civilian agencies, overseeing agencies’ compliance with those policies, and assisting OMB in developing those policies 
• Requires agencies to report major information security incidents as well as data breaches to Congress as they occur and annually 
• Simplified existing FISMA reporting to eliminate excessive reporting and added new reporting requirements for major information security incidents 

FISMA compliance 

NIST outlines numerous steps toward FISMA compliance in three key publications: 

1. FIPS 199
   Standards for Security Categorization of Federal Information and Information Systems
2. FIPS 200
   Minimum Security Requirements for Federal Information and Information Systems
3. NIST 800 series
   Information Technology Laboratory’s research, guidelines, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations

What FISMA requires 

Important steps involved in FISMA compliance, set forth by NIST, include: 

• Agencies must assess the quality of implemented security controls 
• Information systems must be authorized for processing  
• Minimum baseline controls must be in place along with security controls for specific information systems 
• Protected information should be properly identified and categorized 
• Security controls require continuous monitoring 

In addition, there are seven main requirements for FISMA compliance. 

Requirement one: Certification and accreditation 

After completing a risk assessment and developing a system security plan, FISMA compliance requires program officials and agency heads to conduct annual security reviews. The objective is to ensure that effective security controls are in place to mitigate risk.  

FISMA certification and accreditation is a four-phase process that is detailed in the NIST SP 800-37 Guide for the Security Certification and Accreditation of Federal Information Systems. The four steps to ensure FISMA compliance are: 

1. Initiation and planning 
2. Certification 
3. Accreditation 
4. Continuous monitoring 

Once accreditation is complete, an agency official accepts responsibility for the security of their systems and is fully accountable for any adverse impacts of a data breach, data leak, unauthorized access, or other security incidents. 

Requirement two: Continuous monitoring 

To maintain FISMA accreditation, organizations must monitor their selected security controls, with documentation updated to reflect changes and modifications to the system. A risk assessment update is triggered if any significant changes are made and could require recertification.  

Activities that require continuous monitoring include: 

• Configuration management 
• Control of information system components 
• Security controls 
• Security impact analysis of changes to the system (e.g., security ratings) 
• Status reporting 

Requirement three: Information system inventory 

To meet FISMA compliance requirements, agencies and third-party vendors must maintain an inventory of their information systems, including details about any interfaces between systems in the inventory and other systems or networks. This record must also include information systems that are not operated by or under the agency’s control. NIST SP 800-18, Guide for Developing Security Plans for Federal Information Systems, provides directions for how information systems and their boundaries should be grouped. 

Requirement four: Risk assessments 

Risk assessment frameworks for FISMA compliance are derived from a combination of FIPS 200 and NIST SP 800-53. The objective of these cybersecurity risk assessments is to determine if the current security controls are sufficient or if any additional controls should be implemented. 

A risk assessment to assess FISMA compliance commences with the identification of potential cyber threats, vulnerabilities, and common attack vectors. Once these have been established, they are mapped to controls, which should mitigate them. Risk is established by calculating the likelihood and impact of a security incident, given the security controls that are in place.   

Requirement five: Risk categorization 

For FISMA compliance, all sensitive information and information systems are categorized by their required security controls based on their risk levels. Risk categorization guidelines are provided in NIST’s FIPS 199 and NIST SP 800-60 Guide for Mapping Types of Information and Information Systems to Security Categories.  

To meet FISMA compliance requirements, the higher of two risk metrics must be followed. That is, even if a system is rated as low risk for confidentiality and integrity, but high risk for availability, it would be categorized as high risk. 

Requirement six: Security controls 

FISMA compliance requires federal information systems to meet the minimum security controls and assurance requirements defined in FIPS 200, outlined in NIST SP 800-53, Recommended Security Controls for Federal Information Systems. Agencies must only implement the controls deemed necessary based on their risk categorization. The security controls and assurance requirements that are implemented should be documented in the organization’s security plan.  

Requirement seven: System Security Plan (SSP) 

An SSP, as outlined by NIST SP-800-18, is meant to be a living document with periodic reviews and updates to plans of action and should include processes, procedures, and milestones for implementing security controls. A key part of the security certification and accreditation process, the SSP is analyzed, updated, and then accepted by a certification agent, confirming the security controls described are consistent with FIPS 199 and FIPS 200. 

Who is required to comply with FISMA?

FISMA compliance is a requirement for not only for all federal agencies, but also applies to any private businesses that the federal government contracts to deliver goods or services, such as third-party vendors and service providers as well as their subcontractors. 

Since the legislation was first passed, FISMA compliance requirements have been expanded to include state agencies that administer federal programs, such as Medicare and Medicaid. 

FISMA FAQ

What is a federal information system?

A federal information system is defined as any information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information used or operated by a federal agency, a contractor of a federal agency, or by another organization on behalf of a federal agency. 

Are there any additional benefits of FISMA compliance?

Potential additional benefits of FISMA compliance include: 

• A competitive edge when trying to add new business from federal agencies 
• Continuous monitoring  
• Elimination of vulnerabilities in a timely and cost-effective manner 
• Enhanced data protection that prevents data breaches 
• Improved incident response planning 
• Increased security of sensitive federal information 

What penalties exist for non-compliance with FISMA?

The three most significant possible penalties for government agencies or associated private companies that do not adhere to FISMA compliance requirements are: 

1. Censure from future federal contracts 
2. Loss of federal funding 
3. Government hearings 

What is FedRAMP, and how does it relate to FISMA?

FISMA compliance and Federal Risk and Authorization Management Plan (FedRAMP) compliance are mandatory for Cloud Service Providers (CSPs) and organizations working for federal agencies. FedRAMP is a security certification designed specifically for CSPs. FedRAMP and FISMA compliance require that CSPs follow the guidelines set forth in NIST SP 500-83.  

A key difference between FedRAMP and FISMA compliance is that: 

• FISMA compliance assessments are performed by government agencies or third parties 
• FedRAMP compliance assessments are performed by a 3PAO (Third Party Assessment Organization) 

FISMA compliance uplevels overall security posture 

By investing in FISMA security controls and assurance requirements, agencies and organizations that work with the federal government can meet mandatory FISMA compliance requirements and improve their overall security posture. The guidelines published by NIST have been adopted across many industries as security best practices, so organizations can benefit from implementing following the guidelines for FISMA compliance. 

You might also be interested in: