Guide to

The Federal Information Security Management Act (FISMA)

The Federal Information Security Management Act (FISMA) is a federal law implemented by the Department of Defense (DoD) that requires federal agencies and vendors who handle sensitive information held by the government to develop, document, and implement an information security and protection program. FISMA establishes a set of guidelines and security standards that covered entities are required to meet.

What Types of Businesses Need to Comply With FISMA?

FISMA was created for several reasons. One, it was designed to protect sensitive information held by the government. Compliance is mandatory for federal agencies as well as state agencies that administer federal programs such as Medicare. Second, it was designed to ensure the same information is adequately safeguarded by third parties, vendors, contractors that handle certain types of classified and/or sensitive information. This covers multiple types of information, including Covered Defense Information (CDI) and Controlled Unclassified Information (CUI).

Firms in the private sector that do business with federal agencies should consider maintaining FISMA compliance, as it can give them an edge when seeking new business from federal agencies.

Key requirements of FISMA

IT system inventory and risks catalog

Every federal agency or contractor working with the government needs to keep an inventory of all information systems used within the organization, and identify how these systems connect to one another. Each firm must also categorize their information and IT systems in order of risk to ensure that sensitive information and the systems such information flow through are sufficiently protected.

Information security plan

Each firm needs to create a security plan and keep it up-to-date. The plan contains descriptions of security controls implemented within the organization, security policies, and a timetable for introduction of further controls.

Security controls

Each firm needs to review NIST SP 800-53 — an extensive catalog of security controls — and implement the controls that are relevant to their organization and systems. The organization must document the selected controls in their security plan.

Risk Assessments

Each organization must conduct risk assessments according to NIST SP 800-30 guidelines. Security risks need to be identified at the organizational level, the business process level, and the information system level. FISMA requires program officials and the head of each agency to conduct annual security reviews to ensure risks are kept to acceptable levels in a cost-effective, timely and efficient manner.

Agencies and contractors can achieve FISMA Certification and Accreditation through a four-phase process, which includes initiation and planning, certification, accreditation, and continuous monitoring.

Enforcement and penalties for non-compliance

There’s a range of potential penalties for FISMA non-compliance, including censure by Congress, a reduction in federal funding, and reputational damage resulting from data breaches.

For some vendors, part of the relationship with their government clients is some level of federal funding to enhance their efforts. When CUI or CDI is breached because a contractor didn’t maintain a solid information security program, a contractor may lose some level of federal funding. A contractor may also be called to government hearings to further determine the scope of the damage, and assess whether or not it was FISMA compliant prior to the breach. This can become a painful and lengthy process. Further, if a contractor is found to be non-compliant with the FISMA framework, the damage can be massive and may include censure from future contracts or future contracts requiring additional assurance of the organization’s cybersecurity practices. Want more help? Get the FedRAMP compliance starter guide.

FISMA: Frequently Asked Questions

Yes, FISMA does apply to contractors. Any organization, including contractors and service providers, that handles or processes federal information or operates an information system on behalf of a federal agency must comply with FISMA requirements. This includes ensuring that their information security programs align with the standards set by FISMA, such as implementing adequate security controls, conducting regular risk assessments, and reporting security incidents. Contractors must work closely with the federal agencies they serve to ensure compliance with FISMA, as failure to do so can result in significant legal and financial repercussions, including loss of contracts.

FISMA has a variety of key requirements, including:

Developing an information security program: Agencies and contractors must create, document, and implement an organization-wide information security program
Conducting regular risk assessments: Identifying and assessing risks to the confidentiality, integrity, and availability of information and information systems
Implementing security controls: Establishing and enforcing a set of security controls based on risk assessments, typically aligned with NIST SP 800-53
Security planning: Developing and maintaining a security plan that describes the security measures in place to protect information systems
Continuous monitoring: Regularly monitoring, testing, and evaluating the effectiveness of security controls
Incident response and reporting: Developing procedures for detecting, reporting, and responding to security incidents
Security authorization: Conducting a formal assessment and authorization (SA&A) process to ensure information systems meet security requirements before they go live

FISMA does not specify levels in the sense of maturity models or certification tiers, but it does categorize systems and information based on the potential impact of a security breach, which are:

Low impact: The loss of confidentiality, integrity, or availability has limited adverse effects on organizational operations, organizational assets, or individuals
Moderate impact: The loss has serious adverse effects on organizational operations, organizational assets, or individuals
High impact: The loss has severe or catastrophic adverse effects on organizational operations, organizational assets, or individuals

These impact levels guide the selection of security controls, ensuring they are commensurate with the potential risk.

If FISMA is violated, the consequences can be severe, including:

Loss of contracts: Contractors that fail to comply with FISMA may lose existing contracts or be disqualified from future contracts with federal agencies
Reputational damage: Violations can result in significant damage to an organization’s reputation, impacting relationships with other clients and stakeholders
Increased scrutiny: Agencies and contractors may be subject to increased oversight and audits from the Office of Management and Budget (OMB), the Government Accountability Office (GAO), or other regulatory bodies
Operational disruption: Non-compliance could lead to a suspension of operations or require immediate corrective actions, which can disrupt business activities

Security Assessment and Authorization (SA&A) is a critical process under FISMA that ensures an information system is secure and can operate within an acceptable level of risk before it goes live. The SA&A process involves:

Security assessment: A comprehensive evaluation of an information system’s security controls to determine their effectiveness and compliance with established standards.
Authorization: A formal declaration by an authorized official that the system is approved to operate, acknowledging that the risks have been adequately managed. This is typically documented in an Authorization to Operate (ATO) letter.

SA&A must be conducted regularly and whenever there are significant changes to the system or environment, ensuring that security controls remain effective over time.

Compliance with FISMA is mandatory for all federal agencies and their contractors or service providers that manage or process federal information or operate federal information systems. This includes organizations across various sectors, such as IT service providers, cloud service providers, and any entities that handle federal data. State agencies that administer federal programs or receive federal funding may also be required to comply with FISMA standards, such as Medicare/Medicaid or student loans.

The FISMA Certification and Accreditation (C&A) process is a formal procedure used to assess and authorize federal information systems. While C&A has largely been replaced by the SA&A process, it historically involved two main phases:

Certification: A comprehensive evaluation of an information system’s technical and non-technical security controls to ensure they meet FISMA requirements
Accreditation: The decision by a senior official to authorize the system for use based on the results of the certification, considering the acceptable level of risk

The C&A process was designed to ensure that systems were secure before they were put into operation and remained secure throughout their lifecycle.

The National Institute of Standards and Technology (NIST) plays a central role in FISMA compliance by developing the guidelines, standards, and best practices that agencies and contractors must follow. Key NIST publications relevant to FISMA include:

NIST SP 800-53 provides a catalog of security controls that organizations must implement based on the impact level of their systems
NIST SP 800-37 outlines the Risk Management Framework (RMF), which guides the SA&A process
NIST SP 800-171 provides guidelines for protecting Controlled Unclassified Information (CUI) in non-federal systems and organizations

NIST’s role is to ensure that federal information systems are secure and resilient by providing a comprehensive set of standards that are widely recognized and adopted across the federal government and its contractors.

FISMA and FedRAMP (Federal Risk and Authorization Management Program) both aim to ensure the security of federal information systems, but they have different scopes and focuses:

FISMA: Applies broadly to all federal information systems and the contractors that manage or process federal information. It provides a general framework for information security management across the federal government.
FedRAMP: Specifically applies to cloud service providers (CSPs) and is a government-wide program designed to standardize the security assessment, authorization, and continuous monitoring of cloud products and services used by federal agencies. FedRAMP leverages FISMA but focuses exclusively on cloud environments.

While FISMA is more general, FedRAMP provides a more specific set of requirements and processes tailored to cloud services.

The Cybersecurity Maturity Model Certification (CMMC) and FISMA are both cybersecurity frameworks, but they serve different purposes and audiences:

FISMA: Focuses on ensuring that federal information systems and the organizations that operate them meet specific security requirements. It applies to federal agencies and contractors dealing with federal data.
CMMC: Primarily applies to the defense industrial base (DIB) and is used by the Department of Defense (DoD) to ensure that contractors meet specific cybersecurity maturity levels before they can handle controlled unclassified information (CUI) or participate in DoD contracts.

While FISMA emphasizes compliance with a broad set of security controls, CMMC introduces a tiered maturity model, ranging from basic cyber hygiene to advanced practices, to ensure that contractors can adequately protect sensitive information.

FISMA maps to the following frameworks:

Hyperproof makes FISMA compliance simple

Seamlessly map FISMA controls to various regulatory frameworks and standards for comprehensive compliance
Accelerate your path to FISMA compliance with tools designed to meet all critical regulations that are relevant to your business
Integrate effortlessly with the project management tools your organization already uses, like Jira, ServiceNow, and Asana, to enhance workflow efficiency
Leverage evidence across multiple frameworks and controls to streamline the compliance process
Efficiently gather and document evidence to support your efforts towards FISMA compliance
Identify and prioritize your essential workflows, ensuring critical tasks are managed effectively