FISMA Definition, Requirements, Penalties, and More
The Federal Information Security Management Act (FISMA) is a United States federal law passed in 2002 that made it a requirement for federal agencies to develop, document, and implement an information security and protection program. FISMA is part of the larger E-Government Act of 2002 introduced to improve the management of electronic government services and processes.
FISMA is one of the most important regulations for federal data security standards and guidelines. It was introduced to reduce the security risk to federal information and data while managing federal spending on information security. To achieve these aims, FISMA established a set of guidelines and security standards that federal agencies have to meet. The scope of FISMA has since increased to include state agencies administering federal programs like Medicare. FISMA requirements also apply to any private businesses that are involved in a contractual relationship with the government.
In April 2010 the Office of Management and Budget (OMB) released guidelines which require agencies to provide real time system information to FISMA auditors, enabling continuous monitoring of FISMA-regulated information systems.
FISMA Compliance Requirements
The National Institute of Standards and Technology (NIST) plays an important role in the FISMA Implementation Project launched in January 2003, which produced the key security standards and guidelines required by FISMA. These publications include FIPS 199, FIPS 200, and the NIST 800 series.
The top FISMA requirements include:
Information System Inventory:
Risk Categorization:
System Security Plan:
Security Controls:
Risk Assessments:
Certification and Accreditation:
The Benefits of FISMA Compliance
FISMA compliance has increased the security of sensitive federal information. Continuous monitoring for FISMA compliance provides agencies with the information they need to maintain a high level of security and eliminate vulnerabilities in a timely and cost-effective manner.
Companies operating in the private sector – particularly those who do business with federal agencies – can also benefit by maintaining FISMA compliance. This can give private companies an advantage when trying to add new business from federal agencies, and by meeting FISMA compliance requirements companies can ensure that they’re covering many of the security best practices outlined in FISMA’s requirements.
Penalties for FISMA Non-Compliance
For those government agencies or associated private companies that fail to comply with FISMA there are a range of potential penalties including censure by congress, a reduction in federal funding, and reputational damage.
FISMA Compliance Best Practices
Obtaining FISMA compliance doesn’t need to be a difficult process. The following are some best practices to help your organization meet all applicable FISMA requirements. While this list is not exhaustive, it will certainly get you on the way to achieving FISMA compliance.
Further Reading
Learn more about FISMA compliance by checking out the following resources: