The Federal Information Security Management Act of 2002 (FISMA) is a United States federal law that defines a comprehensive framework to protect government information, operations and assets against natural and manmade threats. FISMA was enacted as part of the E-Government Act of 2002.
The act requires each federal agency to develop, document and implement an agency-wide information security program to protect sensitive data and information systems that support the operations and assets of the agency, including those provided or managed by another agency, third-party vendor or service provider.
FISMA is one of the most important regulations for federal data security standards and guidelines.
What is the purpose of FISMA?
FISMA assigned specific responsibilities to federal agencies, the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) to strengthen information security systems.
In particular, FISMA required agency program officials, chief information officers and inspectors general (IGs) to implement information security policies and implement security controls to cost-effectively reduce information technology security risk to an acceptable level.
Once implemented, they must conduct an annual review of the agency's information security program and report the results to the Office of Management and Budget (OMB).
The OMB then uses this data to assist in its oversight responsibilities and to prepare an annual report to Congress on agency compliance with FISMA.
FISMA's scope has since increased to include state agencies administering federal programs like Medicare and any third-party vendors who are involved in a contractual agreement with the government.
In 2010, the Office of Management and Budget (OMB) released guidelines requiring agencies to provide real-time system information to FISMA auditors, enabling continuous monitoring of FISMA-regulated information systems.
While FISMA was replaced by the Federal Information Security Modernization Act of 2014 (FISMA 2014), it brought attention to the need for cybersecurity within the federal government by emphasizing the need for "risk-based policy for cost-effective security".
- Codifies the Department of Homeland Security's (DHS) authority to administer the implementation of information security policies for non-national security federal Executive Branch systems, including providing technical assistance and deployment
- Amends and clarifies the Office of Management and Budget's (OMB) oversight authority over federal agency information security
- Requires OMB to amend or revise OMB A-130 to eliminate inefficient and wasteful reporting
The updated A-130 emphasizes the role of managing sensitive information over its lifecycle, representing a shift from viewing security and privacy requirements as compliance exercises to crucial elements of comprehensive, strategic and continuous risk-based programs at federal agencies.
How was FISMA implemented?
In accordance with FISMA, The National Institute of Standards and Technology (NIST) developed standards, guidelines and other resources to provide information security for all federal agency operations and assets in the FISMA Implementation Project launched in January 2003, excluding national security systems.
Part of NIST's role is to work closely with federal agencies to improve their understanding and implementation of FISMA and publish standards and guidelines, like the NIST Cybersecurity Framework, which provide the foundation for strong information security programs.
What are the FISMA compliance requirements?
FISMA defines a framework for managing information security that must be followed by all information systems used or operated by a U.S. federal government agency in the executive or legislative branches and by third-party vendors who work on behalf of a federal agency in those branches.
The framework is further defined by the National Institute of Standards and Technology (NIST) who have published standards and guidelines such as FIPS 199 Standards for Security Categorization of Federal Information and Information Systems, FIPS 200 Minimum Security Requirements for Federal Information and Information Systems and the NIST 800 series.
There are seven main FISMA requirements:
- Inventory of information systems: FISMA requires agencies and third-party vendors maintain an inventory of their information systems and an identification of any interfaces between each system and other systems or networks including those not operated by or under control of the agency. NIST SP 800-18, Revision 1, Guide for Developing Security Plans for Federal Information Systems provides guidance on determining how to group information systems and their boundaries.
- Risk categorization: All sensitive information and information systems are categorized based on their required information security according to a range of risk levels. FIPS 199 and NIST SP 800-60 Guide for Mapping Types of Information and Information Systems to Security Categories provide categorization guidelines. The key thing to understand about FISMA's risk assessment methodology is that it uses the high water mark for its impact rating. This means if a system scores low risk for confidentiality and integrity but high risk for availability the impact level would be high risk.
- Security controls: FISMA requires federal information systems meet minimum security requirements as defined in FIPS 200. NIST SP 800-53 Recommended Security Controls for Federal Information Systems outlines appropriate security controls and assurance requirements. Agencies are not required to implement every control, only those they deem necessary. Once controls are selected and minimum security requirements satisfied, agencies must document selected controls in their system security plan.
- Risk assessments: The combination of FIPS 200 and NIST SP 800-53 form the foundational level of all federal agencies' risk management frameworks. A cybersecurity risk assessment determines if the current security controls are sufficient and if any additional controls are needed. As with any risk assessment, it starts by identifying potential cyber threats, cyber attacks, vulnerabilities, exploits and other common attack vectors then maps to controls designed to mitigate them. Risk is determined by calculating the likelihood and impact of a given security incident, taking into account existing controls. The end result is a risk assessment with calculated risks for all events and information about whether the risk is to be accepted or mitigated.
- System security plan: NIST SP-800-18 introduced the concept of a system security plan, a living document requiring periodic review, modification, plans of action and milestones for implementing security controls. Procedures should be developed and outlined to review the plan, keep it current and to follow the progress on any planned security controls. The system security plan is a major input into the security certification and accreditation process. During the process, the system security plan is analyzed, updated and then accepted with a certification agent confirming the security controls described are consistent with FIPS 199 and FIPS 200.
- Certification and accreditation: Once a risk assessment and system security plan are complete, FISMA requires program officials and agency heads to conduct annual security reviews to ensure security controls are sufficient and risk is sufficiently mitigated. FISMA certification and accreditation is a four-phase process that includes initiation and planning, certification, accreditation, and continuous monitoring. NIST SP 800-37 Guide for the Security Certification and Accreditation of Federal Information Systems outlines this process in detail. By accrediting an information system, an agency official accepts responsibility for the security of the system and is fully accountable for any adverse impacts of a data breach, data leak, unauthorized access or other security incidents.
- Continuous monitoring: All FISMA accredited systems are required to monitor their selected set of security controls, with documentation updated to reflect changes and modifications to the system. Large changes should trigger an updated risk assessment and may need to be recertified. Continuous monitoring activities include configuration management, control of information system components, security impact analysis of changes to the system (e.g. security ratings), ongoing assessment of security controls and status reporting.
What are the benefits of FISMA compliance?
FISMA compliance has increased the security of sensitive federal information, protecting national security interests, and continuous monitoring provides agencies with information about how to maintain their security and eliminate vulnerabilities in a cost and time effective manner.
For private-sector companies who do business with federal agencies FISMA compliance can provide a leg up over other organizations when vying for federal contracts. The added benefit is that by meeting FISMA compliance requirements companies are improving their organization's data protection, preventing data breaches and improving incident response planning.
What are the penalties for failing to complying with FISMA?
For government agencies and their third-party vendors, failing to comply with FISMA could result in censure by congress, a reduction in federal funding, reputational damage, government hearings, loss of future contracts and poor cybersecurity infrastructure.
What are FISMA compliance best practices?
- Classify information as its created: This will allow you to prioritize security controls for your most sensitive information first.
- Encrypt sensitive data: Encryption is a great way to reduce the impact and cost of data breaches.
- Maintain evidence of FISMA compliance: Record what you work your organization has done to achieve FISMA compliance, e.g. your inventory of information systems, risk categorization framework, security controls, past risk assessments, system security plans, certifications, accreditations and continuous monitoring solutions.
- Stay current: With changes to FISMA standards and new NIST guidelines.
How UpGuard can prevent data breaches and data leaks
Companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar and NASA use UpGuard to protect their data, prevent data breaches, monitor for vulnerabilities and avoid malware.
UpGuard Vendor Risk can minimize the amount of time your organization spends managing third-party relationships by automating vendor questionnaires and continuously monitoring your vendors' security posture over time while benchmarking them against their industry.
Each day, our platform scores your vendors with a Cyber Security Rating out of 950. We'll alert you if their score drops.
UpGuard BreachSight can help monitor for DMARC, combat typosquatting, prevent data breaches and data leaks, avoiding regulatory fines and protecting your customer's trust through cyber security ratings and continuous exposure detection.
If you'd like to see how your organization stacks up, get your free Cyber Security Rating.