The Federal Information Security Management Act (FISMA)
The Federal Information Security Management Act (FISMA) is a federal law implemented by the Department of Defense (DoD) that requires federal agencies and vendors who handle sensitive information held by the government to develop, document, and implement an information security and protection program. FISMA establishes a set of guidelines and security standards that covered entities are required to meet.
What Types of Businesses Need to Comply With FISMA?
FISMA was created for several reasons. One, it was designed to protect sensitive information held by the government. Compliance is mandatory for federal agencies as well as state agencies that administer federal programs such as Medicare. Second, it was designed to ensure the same information is adequately safeguarded by third parties, vendors, contractors that handle certain types of classified and/or sensitive information. This covers multiple types of information, including Covered Defense Information (CDI) and Controlled Unclassified Information (CUI).
Firms in the private sector that do business with federal agencies should consider maintaining FISMA compliance, as it can give them an edge when seeking new business from federal agencies.
Key requirements of FISMA
IT system inventory and risks catalog. Every federal agency or contractor working with the government needs to keep an inventory of all information systems used within the organization, and identify how these systems connect to one another. Each firm must also categorize their information and IT systems in order of risk to ensure that sensitive information and the systems such information flow through are sufficiently protected.
Information security plan. Each firm needs to create a security plan and keep it up-to-date. The plan contains descriptions of security controls implemented within the organization, security policies, and a timetable for introduction of further controls.
Security controls. Each firm needs to review NIST SP 800-53 -- an extensive catalog of security controls -- and implement the controls that are relevant to their organization and systems. The organization must document the selected controls in their security plan.
Risk Assessments. Each organization must conduct risk assessments according to NIST SP 800-30 guidelines. Security risks need to be identified at the organizational level, the business process level, and the information system level. FISMA requires program officials and the head of each agency to conduct annual security reviews to ensure risks are kept to acceptable levels in a cost-effective, timely and efficient manner.
Enforcement and penalties for non-compliance
There’s a range of potential penalties for FISMA non-compliance, including censure by Congress, a reduction in federal funding, and reputational damage resulting from data breaches.
For some vendors, part of the relationship with their government clients is some level of federal funding to enhance their efforts. When CUI or CDI is breached because a contractor didn’t maintain a solid information security program, a contractor may lose some level of federal funding. A contractor may also be called to government hearings to further determine the scope of the damage, and assess whether or not it was FISMA compliant prior to the breach. This can become a painful and lengthy process. Further, if a contractor is found to be non-compliant with the FISMA framework, the damage can be massive and may include censure from future contracts or future contracts requiring additional assurance of the organization’s cybersecurity practices.