FISMA
What is FISMA?
FISMAA U.S. federal law that requires federal agencies and their contractors to implement risk-based information security programs for systems handling government data.
The Federal Information Security Modernization Act (FISMA), originally enacted in 2002 and updated in 2014, mandates that federal agencies develop, document, and implement an agency-wide information security program. It assigns NIST to publish standards (FIPS 199 for categorization, FIPS 200 for minimum controls) and guidelines (the SP 800-53 control catalog, SP 800-37 Risk Management Framework). Agencies must inventory systems, perform risk assessments, authorize systems to operate (ATO), continuously monitor controls, and report annually to OMB and Congress. FISMA also covers contractors and cloud providers that operate federal information systems. OMB and CISA share oversight; the GAO audits effectiveness.
● Examples
- 01
An agency assigning an Authorization to Operate (ATO) to a new HR system after a NIST SP 800-53 control assessment.
- 02
A federal contractor running continuous monitoring and submitting POA&Ms to maintain FISMA compliance.
● Frequently asked questions
What is FISMA?
A U.S. federal law that requires federal agencies and their contractors to implement risk-based information security programs for systems handling government data. It belongs to the Compliance & Frameworks category of cybersecurity.
What does FISMA mean?
A U.S. federal law that requires federal agencies and their contractors to implement risk-based information security programs for systems handling government data.
How do you defend against FISMA?
Defences for FISMA typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for FISMA?
Common alternative names include: Federal Information Security Modernization Act, Federal Information Security Management Act.