The Federal Information Security Management Act (FISMA) is a United States (US) federal law enacted as Title III of the 2002 E‐Government Act (Pub.L. 107–347, 116 Stat. 2899). FISMA requires federal agencies, and those providing services on their behalf, to develop, document, and implement security programs for information systems. The act recognized the importance of information security to US economic and national security interests. FISMA brought attention to cybersecurity within the federal government and explicitly emphasized a “risk‐based policy for cost‐effective security”.

In April 2010, the Office of Management and Budget (OMB) issued a memorandum requiring all federal agencies to report their FISMA activities to Congress. FISMA requires federal agency program officials, chief information officers, and inspector generals (IGs) to conduct annual reviews of the agency’s information security program and report the results to the OMB. OMB uses these data to assist in its oversight responsibilities and to prepare the annual report to Congress on agency compliance with the act. The 2010 OMB memo also reiterated the requirement for federal agencies to include FISMA compliance in all contracts involving federally regulated data, as well as grants where regulated data are created, accessed, or stored on behalf of the federal government. While FISMA generally applies to federal agencies, FISMA compliance is increasing for recipients of federal grants and contracts.