Federal Information Security Management Act (FISMA)

Federal Information Security Management Act (FISMA)

The Federal Information Security Management Act (FISMA) is United States legislation that defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats. FISMA was signed into law part of the Electronic Government Act of 2002.

The Electronic Government Act was introduced in order to improve the management of electronic government services and processes. FISMA was one of the more important regulations in the act, because it brought forth a method to reduce security risks to federal data while managing spending on information security. A set of guidelines were made to have federal agencies comply with and meet.

Content Continues Below

Since 2002, FISMA’s scope has widened to apply to state agencies that administer federal programs, or private businesses that are within a contract with the government. Reduced federal funding or other penalties may result from non-compliance.

FISMA Compliance

FISMA assigns responsibilities to various agencies to ensure the security of data in the federal government. The act requires program officials, and the head of each agency, to conduct annual reviews of information security programs, with the intent of keeping risks at or below specified acceptable levels in a cost-effective, timely and efficient manner. The National Institute of Standards and Technology ( NIST ) outlines nine steps toward compliance with FISMA:

  1. Categorize the information to be protected.
  2. Select minimum baseline controls.
  3. Refine controls using a risk assessment procedure.
  4. Document the controls in the system security plan.
  5. Implement security controls in appropriate information systems.
  6. Assess the effectiveness of the security controls once they have been implemented.
  7. Determine agency-level risk to the mission or business case.
  8. Authorize the information system for processing.
  9. Monitor the security controls on a continuous basis.

Pros and Cons of FISMA

FISMA in general allows for an increase in the security of federal information. Both within federal and state agencies. Moreover, any business withing the private sector will be ensured that they’re using best security practices as well. In addition, more baseline controls and security plans mean more of an ability to respond to vulnerabilities.

There are also concerns around FISMA though. For example, sharing cybersecurity information between agencies may be difficult. In addition, improvements to FISMA has had to, and will continue to, need improvements over time as new threats come about.

This was last updated in July 2020

Continue Reading About Federal Information Security Management Act (FISMA)

Dig Deeper on Government information security management

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

I don't believe the link to the site is what was intended.
FISMA is the Federal Information Security Modernization Act, not Management Act.
It is actually both. The original FISMA (Federal Information Security Management Act) was updated in 2014 and is now called the Federal Information Security Modernization Act
FISMA requires federal agencies to secure government information, operations, national security interests and assets against natural and man-made threats.You can work with IT governance consulting firms like Wilson Consulting Group to assist you with FISMA compliance.


File Extensions and File Formats