Skip to content


FISMA Compliance Explained

The Federal Information Security Management Act (FISMA) was passed in 2002 and made it a requirement for federal agencies to implement cybersecurity programs to protect systems and information. FISMA requires federal agencies to create and embed IT security plans, including policies for IT risk assessment. FISMA applies to federal information systems and networks but also covers information assets that are processed or managed by government contractors and subcontractors too. FISMA promotes taking a risk-based approach to protecting information security across federal networks. This way, cybersecurity protection scales alongside the risk of harm resulting from a potential breach.

A risk-based approach provides an insight into the best investment in time and resources. In practice, FISMA sets out a series of requirements which includes meeting specific NIST standards around cybersecurity policy and procedure. FISMA was amended and modernized in 2014 with the Federal Information Security Modernization Act. Often referred to as FISMA 2014, the amendments reformed the way compliance is reported amongst other changes. This guide explores the background of FISMA, what it means for federal cybersecurity, and ways to maintain and achieve compliance.

What is FISMA?

The Federal Information Security Management Act (FISMA) is legislation passed in 2002 that requires federal agencies to develop and maintain information security programs. The most up-to-date version of FISMA is the Federal Information Security Modernization Act passed in 2014. The newest version is known as FISMA but is also referred to as FISMA 2014 or the FISMA Reform.

FISMA was introduced to strengthen cybersecurity defenses of federal information networks and systems. It applies to any organization within the federal information network, so is relevant to government contractors or IT service providers.

As the name suggests, FISMA deals with the management of cybersecurity risk. It outlines specific requirements that need to be met to ensure best practice cybersecurity procedures. Compliance is recorded in regular reports that provide an insight into cybersecurity progression of all federal agencies. Compliance strengthens the overall resilience of federal networks, lowering the risk of significant breaches.

FISMA makes the National Institute of Standards and Technology (NIST) responsible for developing cybersecurity standards and guidelines. For example, IT security standard NIST Special Publication 800-171 provides best practice cybersecurity controls to help safeguard Controlled Unclassified Information (CUI) on non-federal systems. Many of the requirements outlined by FISMA are met by following NIST guidelines and publications.

FISMA requires federal agencies to implement IT security programs to protect IT systems and networks. This makes it extremely relevant to the service providers and contractors that make up the wider federal information technology ecosystem. Organizations can implement programs by following standards and guidelines produced and published by NIST. Government agencies must review their cybersecurity program each year as part of their FISMA compliance reporting requirements, submitting their performance report to the Office of Management and Budget (OMB).

What is the Federal Information Systems Modernization Act?

Since FISMA was first passed in 2002, it has been subsequently amended and updated by the Federal Information Systems Modernization Act in 2014. This update is often referred to as FISMA 2014 or the FISMA Reform. The amendments focused on improving the ability of the federal government to respond to IT security issues and incidents. It does this by delegating responsibility for implementing security programs and responding to cybersecurity incidents. FISMA 2014 gives final responsibility for a government agency’s cybersecurity policies to the head of the agency or program. This responsibility is generally delegated to the agency’s Chief Information Officer (CIO).

FISMA 2014 also amended the overall reporting structure for agency compliance. Annual reports on cybersecurity policy are produced by the Office of Management and Budget (OMB) for Congress. The reports are on a federal agency-by-agency level and the agencies’ assessments are designed to be streamlined to avoid any waste of budget or inefficiencies. The agencies must submit regular reports to the Office of Management and Budget (OMB), using key metrics to score compliance and implementation. FISMA 2014 also makes it a requirement for agencies to provide notification of any data breaches or serious cybersecurity incidents.

In addition, the Department of Homeland Security (DHS) is identified as a major lead for federal cybersecurity. The DHS is required to respond to serious incidents, coordinate cybersecurity policies, and has the ability to issue directives to other government agencies to safeguard information systems.

Why was FISMA introduced?

FISMA was introduced to strengthen federal information systems to help protect against the growing threat of cyber breaches or attacks on sensitive government information. An increasingly connected world means federal agencies and their contractors collect and process a huge amount of sensitive information and data. These complex systems are entwined and connected with citizens, industry, and all levels of government. Breaches of these networks have the potential to cause significant damage to information infrastructure and are deemed a threat to national security. Cybersecurity frameworks help to protect critical infrastructure, setting a minimum baseline for information security. Clear security controls and processes for properly reviewing and managing risk, help to safeguard this sensitive information.

FISMA aimed to establish a baseline level of IT security standards for both federal agencies and government contractors. The requirements help to achieve a consistent level of information security across federal networks. It also sets guidelines on assessing the security of systems and networks with contractors and subcontractors in the supply chain. FISMA standardizes and streamlines the approach to understanding and protecting these complex systems and networks. Standards help to identify and improve common vulnerabilities in systems and networks. By developing procedures in cybersecurity assessment, organizations gain the ability to drive constant improvement to their network security.

Who needs to be FISMA compliant?

FISMA applies to any organization involved in the operation of information systems for US government agencies. This includes the government agency itself, but also contractors that might process or collect information on behalf of the agency, and service providers which support the overall information systems. The final responsibility for FISMA compliance is with the head of the different federal agencies.

FISMA requires cybersecurity protections relative to the risk of information breach and the level of harm a breach would cause. FISMA compliance must be met by federal agencies and any organization that processes or collects information on behalf of a federal agency. FISMA requirements can be achieved by becoming compliant with specific NIST standards and guidelines.

The Office of Management and Budget (OMB) publishes an annual report to Congress on federal agencies’ performance implementing of FISMA requirements. This informs the Federal Information Technology Acquisition Reform Act (FITARA) scorecard, which measures the progress of the 24 largest federal agencies on managing their IT portfolios and includes a cybersecurity score reflecting FISMA compliance. Non-federal organizations that fail to comply with FISMA not only risk reputational damage, but could also lose funding or government contracts for non-compliance.

FISMA compliance requirements

FISMA outlines a compliance framework for federal information systems. Compliance with elements of the framework is through meeting cybersecurity standards and guidelines outlined by the National Institute of Standards and Technology (NIST).

FISMA required NIST to publish guidance and standards to help organizations to achieve the required level of IT security protection. Guidance is based on achieving the appropriate level of protection against different risk levels. Standards also outline minimum security requirements to lower the risk of cybersecurity attacks against different information systems.

To be compliant, organizations must meet requirements outlined by a series of NIST standards and guides. Each requirement covers minimum security requirements and controls, but also guidance in setting up cybersecurity risk management policies and procedures. FISMA compliance originally just applied to US federal agencies but it has expanded to cover organizations that provide services to the federal government.

What are the FISMA controls?

FISMA compliance includes a range of requirements or controls to safeguard federal systems. These high-level requirements work to strengthen information systems and safeguard federal information. Each of the main FISMA requirements are core elements of a risk management system. Together, the controls build up cybersecurity resilience in networks and systems. Any new system or network must pass through the FISMA framework to ensure the wider network is protected. Here are seven of the main FISMA controls that make up the cybersecurity framework.

1. Maintaining an inventory of information systems

A key FISMA requirement is the creation of an information system inventory that clearly maps out the boundaries of the networks and the connection between each information system. The inventory details the different networks and systems used by the agency and any points of contact with external systems. This is an integral part of any information management plan, which requires a clear understanding of each system and potential entry points.

2. Categorization of information systems by risk level

Each information system highlighted in the inventory is required to be categorized in different levels of risk. The level of risk from a cybersecurity breach of a specific system has a direct impact on the level of protection required. FISMA focuses on a risk-based method to IT security management, so defining risk level is an important part of this approach.

3. Create and maintain a system security plan

Maintaining a system security plan is a main requirement for FISMA compliance. The document outlines cybersecurity policies and procedures, as well as key milestones for achieving compliance with cybersecurity controls. The plan is required to be regularly reviewed and updated and should be seen as a living document to be amended and scrutinized.

4. Embed security controls

Systems must meet minimum security requirements set out in the relevant NIST publication. The baseline security controls are flexible to the organization's specific network or requirements but must be documented within the system security plan. These security controls provide the basis for cybersecurity protection across federal information systems. Standardized security controls help to set the minimum level of defense against cybersecurity.

5. Risk assessment plan

A major aim of FISMA is to create risk assessment processes in federal agencies. IT risk assessment is important, as it sets the risk baseline for which security controls are needed. A risk assessment plan helps to identify and mitigate cybersecurity threats and potential network vulnerabilities. An environment of continuous assessment and improvement can only be achieved with regular risk assessments.

6. Certification and accreditation

Any new IT system, software, assets or hardware needs to be fully reviewed before being accredited and certified for use in the wider federal IT system. Accreditation means that any system is scrutinized for cybersecurity vulnerabilities. Security controls can also be assessed at this point to help lower the risk of cybersecurity incidents. A standardized approach to accrediting new systems or assets means any risks are properly managed and understood.

7. Continuous monitoring

Security controls and systems should be continuously monitored and refined to keep up to date with emerging cyber threats. Risk assessments should be performed on any large-scale changes to the system, whilst security controls should be regularly assessed for ongoing efficiency.

What does FISMA mean for contractors?

FISMA is mainly focused on requirements for federal agencies, but it also affects information assets that are processed or managed by government contractors and subcontractors too. The federal agencies have the final responsibility of maintaining and safeguarding federal information systems. However, as part of this, government contractors are scrutinized in line with FISMA requirements. Any government contractor that processes or collects information on behalf of the government is part of this federal network. Non-compliant contractors that do not meet FISMA requirements could lose their contract or federal government funding.

Contractors should be aware of any FISMA clauses included in their contracts, as well as any other compliance requirements, such as NIST SP 800-171 or the DoD’s new Cybersecurity Maturity Model Certification (CMMC).

Understanding FISMA reporting

Government agencies are required to report on the effectiveness of cybersecurity policy and practices as part of FISMA. These reporting requirements were updated as part of the FISMA 2014 amendments. Chief Information Officers must produce FISMA reports that capture a range of different metrics. These FISMA metrics help to score the overall implementation of security controls and policies.

The main aim of FISMA is to take a risk-based approach to cybersecurity improvements. Reporting on FISMA metrics helps organizations gauge the level of integration. FISMA reports are aggregated from different agencies to provide an insight into overall federal agency cybersecurity. These reports also provide a way of measuring continuous improvements as cybersecurity goals are set and met.

FISMA metrics are based around the five areas of NIST’s Cybersecurity Framework (Framework for Improving Critical Infrastructure Cybersecurity). These are known as the core functions of the framework and represent the key steps to achieving effective cybersecurity.

The five functions are:
  1. Identify - Metrics focus on measuring an agency’s ability to identify, manage, and map systems and networks. This function also focuses on the diagnosis of network issues and systems.

  2. Protect - Metrics record the level of safeguarding for networks and systems. The function helps an organization understand its ability to contain a cybersecurity incident, protecting the rest of the network.

  3. Detect - Metrics deal with the process of detecting and discovering system and network breaches or changes.

  4. Respond - Metrics focus on policies to respond to cybersecurity incidents, including the creation and testing of response plans.

  5. Recover - Metrics collect information on recovery plans in place to respond to cybersecurity breaches or disruption to networks.

Secure your network

Titania Nipper is an accurate firewall audit tool and network configuration audit tool that can help organizations achieve compliance with FISMA. Nipper will automate the assessment of network controls needed for FISMA compliance, saving auditors time and resources with each scan. Identify vulnerabilities in routers, switches and firewalls to reach compliance today.