The Federal Information Security Management/Modernization Act of 2002/2014 (FISMA) | Overview

The Federal Information Security Management Act of 2002, more commonly known as FISMA to all, is a major piece of legislation signed into law by President George W. Bush as part of the E-Government Act, which essentially recognized the fundamental importance of information security as it pertains to the national security of the United States. What's significant about FISMA is that it finally brought about a cohesive, unified and transparent platform relating to information security for federal agencies. As such, each federal agency is required to develop, document, and implement a viable program relating to information security for ultimately ensuring the confidentiality, integrity, and availability (CIA) of assets within these federal agencies.  

Additionally, FISMA - from a scope perspective - not only includes the agencies themselves, but all relevant and applicable "other sources", such as contractors, other agencies, etc. Many changes came about from the September 11, 2001 attacks, and the signing of the E-Government Act, along with Title III of the Act (which was FISMA) were initiatives put forward by the United States government.

FISMA Requirements for Compliance

FISMA adheres to the concept that an effective information security program should contain a number of essential conditions and provisions - measures deemed necessary for the successful implementation of information security as a whole. Thus, the following measures are a requirement for today's I.S. programs, according to FISMA:

  • Risk Assessment
  • Policies and Procedures
  • Subordinate Plans
  • Security Awareness Training
  • Testing and evaluating of information security
  • Effective measures for planning, implementing, evaluating, and documenting areas of remediation
  • Effective measures for detecting, reporting, and responding to security incidents and threats
  • Business Continuity and Disaster Recovery Planning (BCDRP)

Additionally, FISMA requires that government agencies effectively plan for security, ensure that authorized employees are given specific security responsibilities, that the security controls are reviewed on a periodic basis, and other supporting management responsibilities. It's a large task indeed, but FISMA provides excellent guidance, such as their extensive list of NIST SP-800 series documents. NIST, which stands for the "National Institute of Standards and Technology" is a "measurement standards laboratory".

The collaboration between FISMA and NIST is paramount in that the effective development, documentation, and implementation of a security program - in accordance with FISMA - is highly dependent on the publications put forth by NIST, especially the NIST SP-800 as just mentioned. Additionally, these publications are extremely in-depth and comprehensive, covering a wide number of topics within information security. In fact, many private sector businesses rely heavily on the NIST SP-800 documents for many of their own information security needs.

Other additional components of FISMA compliance include the following:

  • Risk Management: Without question one of the core components of FISMA is for government agencies and "other sources" (i.e., contractors, other agencies, etc.) to implement a comprehensive risk management program - one designed specifically in accordance with the integrated risk management framework - a multi-step process consisting of (1). Categorize. (2). Select. (3). Implement. (4). Assess. (5).Authorize. (6). Monitor. Source:
  • Ensuring that one's information security program includes the core components relating to the following: (1). Security Categorization. (2). Security Controls. (3). Security Assessment. (4). Authorization and Monitoring. (5). Security Configuration Settings. (6). Other applicable components.

FISMA compliance is a game changer, to say the least, especially for many private sector entities having to comply with the large and looming legislative mandate. And what's important to note is that documented information security policies and procedures are a big requirement for FISMA compliance, and thankfully the all-inclusive set of documents from FLANK can help.

Information Security Policies and Procedures are Critical for FISMA Compliance

It's critical that organizations seeking to comply with FISMA obtain a comprehensive set of information security policy and procedure documents, such as those offered by us. They'll help in streamlining many of the requirements for FISMA as the all-inclusive set of templates contain all the necessary policies and procedures applicable for FISMA itself. Additionally, we provide consulting services for FISMA compliance, such as gap analysis and readiness assessments, along with consulting for remediation.