Federal Information Security Modernization Act (FISMA)

Overview

FISMA is the primary federal law governing information security for federal agencies and their contractors. Originally enacted in 2002 and modernized in 2014, FISMA establishes a risk-based approach to information security management across the federal government.

Current Version: Federal Information Security Modernization Act of 2014 (Public Law 113-283)
Original Enactment: December 17, 2002 (FISMA 2002)
Modernization: December 18, 2014 (FISMA 2014)
Codified at: 44 U.S.C. Sec. 3551 et seq.

Legislative History

FISMA 2002 (Original Act)

• Enacted as Title III of the E-Government Act (Public Law 107-347)


• Established first comprehensive federal cybersecurity requirements


• Required agencies to develop information security programs


• Assigned responsibility to OMB for oversight


• Tasked NIST with developing information security standards

FISMA 2014 (Modernization Act)

• Reduced reporting burdens and eliminated wasteful processes


• Strengthened continuous monitoring (vs. annual snapshots)


• Clarified roles: DHS/CISA authority over civilian agency information security


• Improved incident response coordination with CISA


• Emphasized risk-based security decisions

Key Requirements

1. Annual Independent Assessment and Reporting

For CFO Act Agencies (23 civilian agencies):

• Inspector General (IG) conducts annual evaluation of information security program effectiveness


• Quarterly and semi-annual reporting to OMB


• Results published in annual FY FISMA metrics

For Non-CFO Act Agencies:

• Semi-annual reporting of security metrics


• Assessment of information security program and practices

2. System Categorization per FIPS 199

FIPS 199 Standard: Standards for Security Categorization of Federal Information and Information Systems

Categorize all federal information and information systems based on impact of loss of confidentiality, integrity, or availability:

• Low Impact: Limited adverse effects


• Moderate Impact: Serious adverse effects


• High Impact: Severe or catastrophic adverse effects

3. Security Controls from NIST SP 800-53

NIST SP 800-53 Revision 5: Security and Privacy Controls for Information Systems and Organizations

20 Control Families:

1. Access Control (AC)


2. Awareness and Training (AT)


3. Audit and Accountability (AU)


4. Assessment, Authorization, and Monitoring (CA)


5. Configuration Management (CM)


6. Contingency Planning (CP)


7. Identification and Authentication (IA)


8. Incident Response (IR)


9. Maintenance (MA)


10. Media Protection (MP)


11. Physical and Environmental Protection (PE)


12. Planning (PL)


13. Personnel Security (PS)


14. Program Management (PM)


15. Risk Assessment (RA)


16. System and Services Acquisition (SA)


17. System and Communications Protection (SC)


18. System and Information Integrity (SI)


19. Supply Chain Risk Management (SR)


20. PII Processing and Transparency (PT)

Control Baselines:

• Low Impact Baseline: Applicable to systems with low impact


• Moderate Impact Baseline: Applicable to systems with moderate impact (most common)


• High Impact Baseline: Applicable to systems with high impact

4. Incident Reporting to CISA

Requirement: Report information security incidents to CISA within one hour of identification

Major Incidents: Report to Congress within seven days

Reporting Methods:

• CISA Incident Reporting Form: https://www.cisa.gov/forms/report


• Federal Incident Notification Guidelines


• Email: [email protected]

5. Continuous Monitoring Requirements

FISMA 2014 shifted from annual compliance snapshots to ongoing security assessment and authorization through NIST Risk Management Framework (RMF) Step 7: Monitor.

Implementation: Part of NIST SP 800-37 Risk Management Framework

NIST Risk Management Framework (RMF)

NIST SP 800-37 Revision 2: Risk Management Framework for Information Systems and Organizations

Seven-Step RMF Process:

1. PREPARE: Carry out essential activities to prepare organization to manage security and privacy risk


2. CATEGORIZE: Categorize the information system based on FIPS 199


3. SELECT: Select, tailor, and document controls from NIST SP 800-53


4. IMPLEMENT: Implement security and privacy controls


5. ASSESS: Assess controls using appropriate assessment procedures


6. AUTHORIZE: Authorize system based on acceptable risk determination


7. MONITOR: Monitor system and controls on continuous basis

Scope and Applicability

Who Must Comply

Federal Agencies:

• All Executive Branch civilian agencies


• Non-national security federal agencies


• Information systems used or operated by an agency


• Information systems provided or managed by contractors on behalf of agencies

Contractors and Service Providers:

• Federal contractors handling federal information must comply with FISMA requirements


• FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems)

Exclusions:

• National security systems (separate requirements)


• Classified information systems (separate compliance regimes)


• State and local government systems (unless receiving federal funding)

Enforcement Mechanisms

Office of Management and Budget (OMB)

• Directs federal agency information security policies


• Develops and issues annual FISMA guidance memoranda


• Reviews agency FISMA metrics and performance


• Authority to withhold agency budget for non-compliance (per 44 U.S.C. Sec. 3555)

Government Accountability Office (GAO)

• Conducts periodic audits of federal agency information security programs


• Reviews agency compliance with FISMA requirements


• Issues reports to Congress on cybersecurity effectiveness

Inspector General (IG) Assessments

• Each CFO Act agency must conduct annual independent evaluation


• Results reported to OMB and included in agency annual reports


• Assessment Framework: CISA FY 2025 IG FISMA Metrics Evaluation Guide

Congressional Oversight

• OMB provides periodic reports to Congress


• Major incidents reported to Congress within 7 days


• GAO reports to Congress on agency compliance

Penalties and Enforcement Consequences

Budgetary Consequences

• OMB may withhold funds or defer agency budget authority (44 U.S.C. Sec. 3555)


• Rarely invoked but provides ultimate budgetary leverage

Leadership Accountability

• Agencies rated "not effective" receive negative public visibility


• Poor FISMA ratings affect agency leadership and CIO performance evaluations


• Congressional and GAO scrutiny for non-compliant agencies

Note: FISMA does not establish direct civil penalties or fines for individual violations. Enforcement relies on public reporting, accountability, and OMB budget authority.

Massachusetts Perspective

Impact on Massachusetts State Government

Direct Applicability: FISMA applies to federal agencies and their contractors, not Massachusetts state government directly.

Federal Funding Conditions: State agencies operating federal information systems or receiving federal IT funding may need to comply with FISMA or equivalent standards.

Massachusetts-Based Contractors and Service Providers

Massachusetts companies contracting with federal agencies must comply with FISMA requirements if:

• Providing IT services to federal agencies


• Operating federal information systems


• Handling federal information or data


• Receiving federal IT contracts

FAR Compliance: Massachusetts contractors must meet Federal Acquisition Regulation (FAR) Part 39 and FAR 52.204-21.

Massachusetts Federal Contractors

Examples of Federal Influence:

• Massachusetts agencies participating in federal grant programs (Medicaid, social services)


• University systems and research institutions with federal research data (MIT, Harvard, UMass)


• Local law enforcement agencies with federal law enforcement data/systems

Related Frameworks

FedRAMP (Federal Risk and Authorization Management Program)

• Standardized approach for cloud service providers to obtain federal authorization


• FedRAMP is FISMA implementation for cloud services


• Uses NIST SP 800-53 controls as foundation

CMMC (Cybersecurity Maturity Model Certification)

• DoD contractor cybersecurity certification requirement


• Based on NIST SP 800-53 and NIST SP 800-171


• Mandatory for DoD contracts involving Controlled Unclassified Information

NIST Cybersecurity Framework (CSF)

• Voluntary framework for managing cybersecurity risk


• FISMA IG metrics align with NIST CSF 2.0 functions


• NIST CSF 2.0 incorporates FISMA requirements

Effective Dates

FISMA 2002 Effective Date

• Enacted: December 17, 2002


• Effective: Immediately upon enactment


• Implementation: Agencies began in 2003

FISMA 2014 Reforms Effective Date

• Enacted: December 18, 2014


• Effective: Immediately upon enactment


• OMB Circular A-130 Updated: July 2016

Current Status: FISMA 2014 remains current governing law with regular updates through annual OMB memoranda.

Key Takeaways

1. Comprehensive Framework: FISMA establishes comprehensive federal cybersecurity requirements based on NIST standards


2. Risk Management Approach: Uses NIST Risk Management Framework with seven-step process


3. Continuous Monitoring: FISMA 2014 shifted to continuous monitoring vs. annual compliance snapshots


4. Mandatory Incident Reporting: One-hour reporting to CISA for all incidents


5. Accountability: Annual IG assessments and congressional reporting ensure transparency


6. Contractor Applicability: Federal contractors must comply when handling federal information


7. Massachusetts Context: Applies to MA-based federal contractors and agencies receiving federal funding