The Federal Information Security Management Act of 2002 (FISMA) is a United States federal law that defines a comprehensive framework to protect government information, operations, and assets against natural and manmade threats. FISMA was enacted as part of the E-Government Act of 2002 and is one of the most important regulations for federal data security standards and guidelines.
The act requires each federal agency in the US government to develop, document, and implement an agency-wide information security program to protect sensitive data and information systems that support the operations and assets of the agency, including those provided or managed by another agency, third-party vendor, or service provider.
What is the Purpose of FISMA?
FISMA assigns specific responsibilities to federal agencies, the National Institute of Standards and Technology (NIST), and the Office of Management and Budget (OMB) to strengthen information security systems.
In particular, FISMA requires agency program officials, chief information officers (CIOs), and inspectors general (IGs) to implement information security policies and controls to cost-effectively reduce information technology security risk to an acceptable level.
Once implemented, they must conduct an annual review of the agency's information security program and report the results to the Office of Management and Budget (OMB). The OMB then uses this data to assist in its oversight responsibilities and to prepare an annual report to Congress on agency compliance with FISMA.
FISMA's scope has since increased to include state agencies administering federal programs like Medicare and any third-party vendors involved in a contractual agreement with the government.
In 2010, the Office of Management and Budget (OMB) released guidelines requiring agencies to provide real-time system information to FISMA auditors, enabling continuous monitoring of FISMA-regulated information systems.
FISMA 2014
While FISMA was replaced by the Federal Information Security Modernization Act of 2014 (FISMA 2014), it brought attention to the need for cybersecurity within the federal government by emphasizing the need for "a risk-based policy for cost-effective security."
FISMA 2014:
- Codifies the Department of Homeland Security's (DHS) authority to administer the implementation of information security policies for non-national security federal Executive Branch systems, including providing technical assistance and deployment
- Amends and clarifies the Office of Management and Budget's (OMB) oversight authority over federal agency information security
- Requires OMB to amend or revise OMB A-130 to eliminate inefficient and wasteful reporting
The updated A-130 emphasizes managing sensitive information over its lifecycle, representing a shift from viewing security and privacy requirements as compliance exercises to crucial elements of comprehensive, strategic, and continuous risk-based programs at federal agencies.
How Was FISMA Implemented?
The National Institute of Standards and Technology (NIST) developed standards, guidelines, and other resources to provide information security for all federal agency operations and assets in the FISMA Implementation Project launched in January 2003, excluding national security systems.
Part of NIST's role is to work closely with federal agencies to improve their understanding and implementation of FISMA and publish standards and guidelines, like the NIST Cybersecurity Framework, which provides the foundation for strong information security programs.
What are the FISMA Compliance Requirements?
FISMA defines a framework for managing information security that must be followed by all information systems used or operated by a U.S. federal government agency in the executive or legislative branches and by third-party vendors who work on behalf of a federal agency in those branches.
The framework is further defined by the National Institute of Standards and Technology (NIST), which has published standards and guidelines such as FIPS 199 Standards for Security Categorization of Federal Information and Information Systems, FIPS 200 Minimum Security Requirements for Federal Information and Information Systems and the NIST 800 series.
There are seven main FISMA requirements:
1. Information System Inventory
FISMA requires agencies and third-party vendors to maintain an inventory of their information systems and an identification of any interfaces between each system and other systems or networks, including those not operated by or under the control of the agency. NIST SP 800-18, Revision 1, Guide for Developing Security Plans for Federal Information Systems, provides guidance on determining how to group information systems and their boundaries.
2. Risk Categorization
All sensitive information and information systems are categorized based on their required information security according to a range of risk levels. FIPS 199 and NIST SP 800-60 Guide for Mapping Types of Information and Information Systems to Security Categories provide categorization guidelines.
The key thing to understand about FISMA's risk assessment methodology is that it uses the high water mark for its impact rating. This means if a system scores low risk for confidentiality and integrity but high risk for availability, the impact level would be high risk.
3. Security Controls
FISMA requires federal information systems to meet minimum security requirements defined in FIPS 200. NIST SP 800-53 Recommended Security Controls for Federal Information Systems outlines appropriate security controls and assurance requirements. Agencies are not required to implement every control, only those they deem necessary. Once controls are selected and minimum security requirements satisfied, agencies must document selected controls in their system security plan.
4. Risk Assessments
The combination of FIPS 200 and NIST SP 800-53 forms the foundational level of all federal agencies' risk management frameworks. A cybersecurity risk assessment determines if the current security controls are sufficient and if any additional controls are needed.
Any risk assessment starts by identifying potential cyber threats, cyberattacks, vulnerabilities, exploits, and other common attack vectors, then map to controls designed to mitigate them. Risk is determined by calculating the likelihood and impact of a given security incident, considering existing controls. The end result is a risk assessment with calculated risks for all events and information about whether the risk is to be accepted or mitigated.
5. System Security Plan (SSP)
NIST SP-800-18 introduced the concept of a system security plan, a living document requiring periodic review, modification, plans of action, and milestones for implementing security controls. Procedures should be developed and outlined to review the plan, keep it current, and follow the progress on any planned security controls.
The system security plan is a major input into the security certification and accreditation process. During the process, the system security plan is analyzed, updated, and then accepted by a certification agent, confirming the security controls described are consistent with FIPS 199 and FIPS 200.
6. Certification and Accreditation
Once a risk assessment and system security plan are complete, FISMA requires program officials and agency heads to conduct annual security reviews to ensure security controls are sufficient and risk is sufficiently mitigated. FISMA certification and accreditation is a four-phase process that includes initiation and planning, certification, accreditation, and continuous monitoring.
NIST SP 800-37 Guide for the Security Certification and Accreditation of Federal Information Systems outlines this process in detail. By accrediting an information system, an agency official accepts responsibility for the security of their systems and is fully accountable for any adverse impacts of a data breach, data leak, unauthorized access, or other security incidents.
7. Continuous Monitoring
All FISMA-accredited systems must monitor their selected security controls, with documentation updated to reflect changes and modifications to the system. Large changes should trigger an updated risk assessment and may need to be recertified. Continuous monitoring activities include configuration management, control of information system components, the security impact analysis of changes to the system (like security ratings), ongoing assessment of security controls, and status reporting.
What are the Benefits of FISMA Compliance?
FISMA compliance has increased the security of sensitive federal information, protecting national security interests, and continuous monitoring provides agencies with information about how to maintain their security and eliminate vulnerabilities in a cost-effective manner.
For private-sector companies who do business with federal agencies, FISMA compliance can provide a leg up over other organizations when vying for federal contracts. By meeting FISMA compliance requirements, the added benefit is that companies improve their organization's data protection, prevent data breaches, and improve incident response planning.
What are the Penalties for Failing to Comply with FISMA?
For government agencies and third-party vendors, failing to comply with FISMA could result in congress censure, reducing federal funding, reputational damage, government hearings, loss of future contracts, and poor cybersecurity infrastructure.
What are FISMA Compliance Best Practices?
- Classify information as its created: This will allow you to prioritize security controls for your most sensitive information first.
- Encrypt sensitive data: Encryption is a great way to protect confidential data and reduce the impact and cost of data breaches.
- Run regular risk assessments: Risk assessments should be performed on a periodic basis to identify vulnerabilities, security gaps, and outdated policies
- Conduct employee training and education: Human error is the most common reason for data breaches and leaks. Training employees and providing cybersecurity education can significantly reduce the chances of costly errors.
- Maintain evidence of FISMA compliance: Record what work your organization has done to achieve FISMA compliance, such as the inventory of information systems, risk categorization framework, security controls, past risk assessments, system security plans, certifications, accreditations, and continuous monitoring solutions.
- Stay current with new regulations: Always stay updated on changes to FISMA standards or new NIST guidelines.
How UpGuard Can Help Maintain FISMA Compliance
UpGuard Vendor Risk can minimize the time your organization spends managing third-party relationships by automating vendor questionnaires, building customizable questionnaires to tailor by each specific vendor, and continuously monitoring your vendors' security posture over time while benchmarking them against their industry.
Our platform scores your vendors daily with a security rating out of 950. Each vendor is rated against 50+ attack vectors, such as the presence of SSL and DNSSEC, as well as the risk of domain hijacking, man-in-the-middle attacks, and email spoofing for phishing. UpGuard can also help meet FISMA requirements by assessing vendor cyber risks.
UpGuard BreachSight can help monitor for DMARC, combat typosquatting, prevent data breaches and data leaks, avoid regulatory fines and protect your customer's trust through cyber security ratings and continuous exposure detection.