FISMA (the Federal Information Security Management Act) is a U.S. law requiring federal agencies, certain state agencies, and private government contractors to develop, document, and implement an information security and protection program.
Using key security standards established by the National Institute of Standards and Technology (NIST) Cybersecurity Framework, FISMA aims to reduce the security risk to federal information and data.
FISMA regulates information security, which it defines as “protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.”
Who Does FISMA Apply To?
When the E-Government Act was created in 2002, FISMA was its strongest component. At the time, the law only applied to federal agencies. Later, it expanded to cover state agencies that managed federal programs like Medicare, Medicaid, unemployment insurance, student loans, and so on.
FISMA doesn’t just stop with the public sector, it now includes companies that contract work with federal agencies. Even private organizations that must comply with FISMA guidelines and mandates if they are affiliated with government agencies — or face penalties for violations.
FISMA Compliance Checklist
Based on guidance from NIST, here are 6 steps to achieve FISMA compliance:
- Information System Inventory: Federal agencies or contractors must keep an inventory of all the information systems they use —this should include a record of maintenance or repairs, a record of service, description, manufacturer, model number, date of purchase, when it was deployed, and when the hardware was last updated.
- Risk Categorization: The Standards for Security Categorization of Federal Information and Information Systems (FIPS 199), lay out the guidelines for categorizing the risk levels of their information systems. Categorization identifies systems that hold the most sensitive data so agencies can then put the necessary security measures in place to protect it.
- System Security Plan: Agencies must create and maintain a security plan — and update it regularly. The plan should include security controls, policies, and a timeline for future security updates.
- Security Controls: NIST SP 800-53 serves as a catalog of security controls for FISMA compliance. These 20 controls should be adopted, documented, and monitored by agencies — dependent on what is relevant to their systems.
- Risk Assessments: Agencies should conduct regular risk assessments to see if there are any holes in their security process—especially anytime there is a change to their systems. Using the Risk Management Framework, agencies can identify risk at the organizational, business process, and information system levels.
- Certification and Accreditation: After all the previous steps have been completed, agencies must conduct annual security reviews that prove they can maintain and continuously monitor risk. To keep security risks to a minimum, continuous monitoring is key.
Why Was FISMA Created?
FISMA was created in 2002 as part of the larger Electronic Government Act — better known as the E-Government Act — which established the importance of information security to national and economic interests.
FISMA required each federal agency to develop, document, and implement a complete information security plan that would support and protect the operations of the agency.
Congress amended FISMA in 2014 in the Federal Information Security Modernization Act. The amended legislation provided several modifications to the original law that brought FISMA in line with current information security concerns.
In 2014, Congress amended FISMA to modernize information security requirements, align with compliance efforts, and encourage more continuous monitoring processes.
FISMA Compliance Penalties and Violations
Agencies in the public sector and private companies that work with them face several penalties for FISMA violations and non-compliance.
- censure by the U.S. Congress
- reputational damage due to data breaches
- reduction in federal funding
- the loss of federal funding
A loss or reduction in federal funding can be debilitating for both federal agencies and private vendors. For some private contractors, moreover, that loss — and the damaged relationships with federal agencies that can result from FISMA non-compliance — can spell the end of a company.
FedRAMP vs FISMA
While FISMA sets the compliance standard for information systems, FedRAMP outlines the requirements for cloud service providers (CSPs). The U.S. government encourages cloud computing as a way to reduce costs for federal agencies. The Federal Risk and Authorization Management Program (FedRAMP) is a government program that standardizes the way agencies approach CSPs.
This typically takes the form of security assessments, authorizations, monitoring, and more. Software vendors looking to land government accounts should explore FedRAMP authorization.
Benefits of a FISMA Compliance Solution
In addition to private organizations opening up work opportunities with federal agencies, all compliant organizations can look forward to the benefits of:
- strengthened data security
- protection from data breaches
- reduced IT-related costs
- protected citizen private and sensitive data
How to Become FISMA Compliant with BigID
Discover all your data — everywhere: Find and inventory your sensitive, critical, and high-risk data for a clear view of all the data you store and maintain.
Reduce your data footprint: Minimize duplicate, similar, and redundant data; fix data quality issues; and automate workflows based on retention timelines.
Know your data risk — and reduce it: Prioritize your most high-risk, sensitive data. Identify and minimize risk on sensitive data with risk scores that incorporate data parameters like data type, location, residency, and more.
Gain confidence in your data: Get 360° data quality insights by business entities and data sources, all in a unified inventory — across all of your data, wherever it lives.
Achieve FISMA compliance: Maintain detailed records of information systems, stay on top of audits, and annually report on FISMA compliance.