What Is FISMA?
FISMA (the Federal Information Security Management Act) is a U.S. law requiring federal agencies, certain state agencies, and private government contractors to develop, document, and implement an information security and protection program.
Using key security standards established by the National Institute of Standards and Technology (NIST) Cybersecurity Framework, FISMA aims to reduce the security risk to federal information and data.
What Is “Information Security” According to FISMA?
FISMA regulates information security, which it defines as “protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.”
FISMA Compliance Requirements
Based on guidance from NIST, FISMA’s primary requirements include:
Information System Inventory
Every agency or contractor must keep an inventory of all the information systems they use — and the way they integrate with other systems.
Agencies must use guidelines set forth in the FIPS 199 “Standards for Security Categorization of Federal Information and Information Systems” to categorize the risk levels of their information and information systems — and conform to standardized security requirements.
System Security Plan
Agencies must create and maintain a security plan — and update it regularly. The plan should include security controls, policies, and a timeline for future security updates.
NIST SP 800-53 defines 20 security controls for FISMA compliance — and agencies must implement those that are relevant to their systems (not necessarily all 20), as well as monitor and document them.
Agencies must make risk assessments anytime there is a change to their systems. Risk assessments must be three-tired, identifying risk at the organizational, business process, and information system levels, using the Risk Management Framework.
Certification and Accreditation
Agencies must conduct annual security reviews that prove they can maintain and continuously monitor risk — and keep security risks to a minimum.
Why Was FISMA Created?
FISMA was created in 2002 as part of the larger Electronic Government Act — better known as the E-Government Act — which established the importance of information security to national and economic interests.
FISMA required each federal agency to develop, document, and implement a complete information security plan that would support and protect the operations of the agency.
Congress amended FISMA in 2014 in the Federal Information Security Modernization Act. The amended legislation provided several modifications to the original law that brought FISMA in line with current information security concerns.
In 2014, Congress amended FISMA to modernize information security requirements, align with compliance efforts, and encourage more continuous monitoring processes.
Who Is Subject to FISMA?
When the E-Government Act was created in 2002, FISMA was its strongest component.
At the time, the law only applied to federal agencies. Later, it expanded to cover state agencies that managed federal programs like Medicare, Medicaid, unemployment insurance, student loans, and so on.
Furthermore, the law evolved to cover companies that contract work with federal agencies, meaning that FISMA compliance does not just stop with the public sector. Private organizations that are affiliated with government agencies must also comply with FISMA guidelines and mandates — or face penalties for violations.
FISMA Compliance Penalties and Violations
Agencies in the public sector and private companies that work with them face several penalties for FISMA violations and non-compliance.
- censure by the U.S. Congress
- reputational damage due to data breaches
- reduction in federal funding
- the loss of federal funding
A loss or reduction in federal funding can be debilitating for both federal agencies and private vendors. For some private contractors, moreover, that loss — and the damaged relationships with federal agencies that can result from FISMA non-compliance — can spell the end of a company.
FedRAMP vs FISMA
The U.S. government encourages cloud computing as a way to reduce costs for federal agencies. The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that standardizes the way agencies approach cloud service providers (CSPs) — in terms of security assessments, authorizations, monitoring, and so on. Software vendors looking to land government accounts should explore FedRAMP authorization.
Benefits of a FISMA Compliance Solution
In addition to private organizations opening up work opportunities with federal agencies, all compliant organizations can look forward to the benefits of:
- strengthened data security
- protection from data breaches
- reduced IT-related costs
- protected citizen private and sensitive data
How to Become FISMA Compliant with BigID
Discover all your data — everywhere: Find and inventory your sensitive, critical, and high-risk data for a clear view of all the data you store and maintain.
Reduce your data footprint: Minimize duplicate, similar, and redundant data; fix data quality issues; and automate workflows based on retention timelines.
Know your data risk — and reduce it: Prioritize your most high-risk, sensitive data. Identify and minimize risk on sensitive data with risk scores that incorporate data parameters like data type, location, residency, and more.
Gain confidence in your data: Get 360° data quality insights by business entities and data sources, all in a unified inventory — across all of your data, wherever it lives.
Achieve FISMA compliance: Maintain detailed records of information systems, stay on top of audits, and annually report on FISMA compliance.