What is FISMA?

FISMA is an acronym that stands for the Federal Information Security Modernization Act. FISMA is United States legislation that defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats. FISMA was signed into law part of the Electronic Government Act of 2002.

What is its purpose?

FISMA 2014: (1) reestablishes the oversight authority of the Director of the Office of Management and Budget (OMB) with respect to agency information security policies and practices, and (2) sets forth authority for the Secretary of Homeland Security (DHS) to administer the implementation of such policies and practices for information systems.

How is it implemented?

The legislation provides DHS authority to develop and oversee the implementation of binding operational directives to other agencies, in coordination and consistent with OMB policies and practices. It also:

  •  Authorizes DHS to provide operational and technical assistance to other federal Executive Branch civilian agencies at the agency’s request;
  • Places the federal information security incident center (a function fulfilled by US-CERT) within DHS by law;
  • Authorizes DHS technology deployments to other agencies' networks (upon those agencies' request);
  • Directs OMB to revise policies regarding notification of individuals affected by federal agency data breaches;
  • Requires agencies to report major information security incidents as well as data breaches to Congress as they occur and annually; and
  • Simplifies existing FISMA reporting to eliminate inefficient or wasteful reporting while adding new reporting requirements for major information security incidents.

How does FISMA affect us and our customers?

All Federal agencies and organizations working with a federal agency must be FISMA compliant. An effective information security program should include:

  • Periodic assessments of risk, including the magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the organization
  • Policies and procedures that are based on risk assessments, cost-effectively reduce information security risks to an acceptable level, and ensure that information security is addressed throughout the life cycle of each organizational information system
  • Subordinate plans for providing adequate information security for networks, facilities, information systems, or groups of information systems, as appropriate
  • Security awareness training to inform personnel (including contractors and other users of information systems that support the operations and assets of the organization) of the information security risks associated with their activities and their responsibilities in complying with organizational policies and procedures designed to reduce these risks
  • Periodic testing and evaluation of the effectiveness of information security policies, procedures, practices, and security controls to be performed with a frequency depending on risk, but no less than annually
  • A process for planning, implementing, evaluating, and documenting remedial actions to address any deficiencies in the information security policies, procedures, and practices of the organization
  • Procedures for detecting, reporting, and responding to security incidents
  • Plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the organization.

For more information, please see below references: