Federal Information Security Management Act - FISMA

The Federal Information Security Management Act (FISMA), Title III of the E-Government Act of 2002, outlines requirements to secure federal information.

Each federal agency, including contractors or other organizations who work with the agency, must develop, document, and implement an agency-wide information security program. The National Institute for Standards and Technology (NIST) provides detailed guidance and recommendations for FISMA compliance. NIST guidelines encompass all aspects of information security. FISMA sections 3544 and 3505 require the following:

Compliance for every IT system - Required identification of all systems in use and that access federal information, and validation of their compliance. To help aid agencies in obtaining this, NIST has released a series of guidelines, checklists, and templates that detail acceptable configurations for systems.

Risk assessment - The agency must have an agency-wide information security program that includes controls and checks to ensure effectiveness, including reporting on existing risks and responses.

Incident response - The NIST Controls document outlines specific steps to follow and functions to perform depending on the level of threat posed by the environment.

Intrusion detection - Requires reporting on Cybersecurity, risks, and responses.

Boundary protection - Systems and applications should be protected from unauthorized access, both from outside the agency and its contractors, and from within.


More Information