What is FISMA?

FISMA stands for the Federal Information Security Management Act. It is United States legislation that was enacted as part of the Electronic Government Act of 2002. The act recognizes the importance of information security to the economic and national security interests of the United States.

FISMA requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other sources.

This act has brought attention within the federal government to cybersecurity and explicitly emphasizes a "risk-based policy for cost-effective security." FISMA has also included duties for federal agencies to maintain adequate cybersecurity hygiene, including:

  • Conducting an annual review of the agency's information security program and report the results to the Office of Management and Budget (OMB).
  • Developing and maintaining an inventory of major information systems.
  • Categorizing information and information systems according to risk level.
  • Implementing security controls to protect information and information systems.
  • Conducting risk assessments and continuously monitoring performance.

FISMA 2014

The Federal Information Security Modernization Act of 2014 (FISMA 2014) is an update to the original Federal Information Security Management Act of 2002 (FISMA 2002). Here are some of the key differences and updates that FISMA 2014 introduced:

  1. Automation and Integration: FISMA 2014 emphasizes the use of automated and continuous monitoring of cybersecurity threats and the implementation of real-time security information for federal information systems. This contrasts with the more manual and periodic assessments that were more common under FISMA 2002.
  2. Clarification of Roles: The new act clarifies the roles and responsibilities of the Department of Homeland Security (DHS), assigning it the task of administering the implementation of information security policies for non-national security federal Executive Branch systems, including ongoing authorization and monitoring of systems.
  3. Reporting Requirements: FISMA 2014 reduces the reporting requirements for federal agencies by focusing on automation and eliminating some of the manual reporting processes that were part of FISMA 2002. This change aims to promote efficiency and timeliness in responding to threats.
  4. Risk Management: While FISMA 2002 established the importance of creating risk-based policies for information security, FISMA 2014 enhances this approach by requiring federal agencies to implement a risk management framework that is consistent with guidelines developed by NIST.
  5. Information Sharing: The updated act encourages the sharing of cybersecurity information among federal agencies to improve protection against threats.
  6. National Security: While FISMA 2002 focused broadly on information security across all federal agencies, FISMA 2014 recognizes the specific needs and concerns related to systems that have national security implications, ensuring these are handled with appropriate measures.

FISMA 2014 modernizes the original law, taking into account the evolution of cybersecurity practices and threats, and seeks to make federal information security management more dynamic, continuous, and focused on modern risk management and information sharing practices.