Definition and purpose

FISMA was enacted as part of the Electronic Government Act of 2002. Its primary purpose is to ensure the effectiveness of information security controls over information resources that support federal operations and assets. FISMA mandates the development and implementation of mandatory standards and guidelines for federal information systems.

Governing Body

The National Institute of Standards and Technology (NIST) is responsible for establishing the standards and guidelines, while the Office of Management and Budget (OMB) oversees the act's implementation. The Department of Homeland Security (DHS) also plays a role in helping agencies with FISMA implementation.

Last updated

FISMA was originally passed in 2002, but it underwent significant updates and reforms with the passage of the Federal Information Security Modernization Act (FISMA Reform) in 2014. The Cybersecurity Act of 2023 would update FISMA to require federal agencies to report all cybersecurity incidents and conduct standardized cybersecurity procedures on a regular basis.

Applies to

FISMA applies to all federal agencies, their contractors, and other organizations that process, store, or transmit federal information. It does not apply directly to the private sector, state/local governments, or tribal entities unless they handle federal data or provide services on behalf of a federal agency.

Controls and requirements

FISMA compliance relies on the standards and guidelines set forth by NIST, primarily:

• NIST SP 800-53: This publication lists the security controls federal agencies need to apply. The controls are organized into families, like Access Control, Audit and Accountability, Incident Response, Security Assessment, System and Communications Protection, etc.
• NIST SP 800-37: Provides guidelines for the Risk Management Framework, which agencies use to certify and accredit their information systems.

These standards detail the processes and controls required for FISMA compliance, which include periodic risk assessments, policies and procedures, security awareness training, continuous monitoring, and incident response capabilities.

Please refer to the official FISMA 2014 documentation for a detailed list of controls and requirements.

Audit type, frequency, and duration

FISMA requires federal agencies to conduct annual reviews of their information security programs. This might include self-assessments, third-party assessments, and Inspector General (IG) evaluations. Continuous monitoring practices might lead to more frequent evaluations of certain systems or controls.

The duration of a FISMA audit varies depending on the size and complexity of the agency or system being reviewed. A comprehensive agency-wide assessment could take several months, while evaluations of specific systems or controls might be completed in a shorter timeframe.