FISMA

United States Federal Law

What is FISMA?

The Federal Information Security Management Act (FISMA) is a United States (US) federal law enacted as Title III of the 2002 E‐Government Act (Pub.L. 107–347, 116 Stat. 2899).  FISMA requires federal agencies, and those providing services on their behalf, to develop, document, and implement security programs for information systems.  The act recognized the importance of information security to US economic and national security interests.  FISMA brought attention to cybersecurity within the federal government and explicitly emphasized a “risk‐based policy for cost‐effective security”. In April 2010, the Office of Management and Budget (OMB) issued a memorandum requiring all federal agencies to report their FISMA activities to Congress.  FISMA requires federal agency program officials, chief information officers, and inspector generals (IGs) to conduct annual reviews of the agency’s information security program and report the results to the OMB. OMB uses these data to assist in its oversight responsibilities and to prepare the annual report to Congress on agency compliance with the act. The 2010 OMB memo also reiterated the requirement for federal agencies to include FISMA compliance in all contracts involving federally regulated data, as well as grants where regulated data are created, accessed, or stored on behalf of the federal government.  While FISMA generally applies to federal agencies, FISMA compliance is increasing for recipients of federal grants and contracts.

There are Three Levels of FISMA:

  1. FISMA LOW – The unauthorized disclosure of information could be expected to have a limited adverse effect on the organizational operations, organizational assets, or individuals.
  2. FISMA MODERATE FIPS 140-2 VALIDATED products required.The unauthorized disclosure of information could be expected to have a SERIOUS adverse effect on the organizational operations, organizational assets, or individuals.
  3. FISMA HIGH – FIPS 140-2 VALIDATED products required.The unauthorized disclosure of information could be expected to have a SEVERE or CATASTROPHIC adverse effect on the organizational operations, organizational assets, or individuals.

FISMA points to several NIST documents, ALL of which call for FIPS 140-2 for FISMA MODERATE and FISMA HIGH networks.

The MODERATE LEVEL is often though to be in a grey area. This is false. FISMA MODERATE specifically calls out for FIPS 140-2 VALIDATED products on the network.