Warning: Parameter 1 to Language::getMagic() expected to be a reference, value given in /home/govitwik/public_html/w/includes/StubObject.php on line 58
Federal Information Security Management Act - GovITwiki

Federal Information Security Management Act

From GovITwiki

Jump to: navigation, search

The Federal Information Security Management Act, also known as FISMA ( 44 U.S.C. § 3541, et seq.) is a U.S. federal law enacted in 2002. Essentially it is Title III of the E-Government Act of 2002 (Pub.L. 107-347, 116 Stat. 2899). On December 17th, 2002, the President signed into law the E-Government Act (P.L. 107-347) which includes Title III.

FISMA permanently reauthorized a framework originally laid out in the Government Information Security Reform Act of 2000 (GISRA) which expired in November 2002. The National Institute of Standards and Technology (NIST) works with agencies in the development of the standards.



A chief goal of FISMA is to improve computer and network security within the Federal Government. It also applies to government contractors.

Mandated yearly security audits are a key feature of FISMA, along with a mandatory set of processes that must be followed for all information systems. These processes must follow a combination of Federal Information Processing standards (FIPS) documents, the special publications SP-800 series issued by NIST, and other legislation pertinent to federal information systems, such as the Privacy Act of 1974 and the Health Insurance Portability and Accountability Act.

One criticism of FISMA is that following all mandates may result in compliance, but that doesn't necessarily assure security. However, FISMA has prompted close scrutiny of IT security by federal agencies, and it has helped improve overall security.

NOTE: An earlier version of FISMA was enacted as part of the Homeland Security Act (P.L. 107-296). As provided in 44 U.S.C. 3549 and as stated by the President in his signing statement for the E-Government Act, the version of FISMA in the Homeland Security Act is not in effect. The version of FISMA in effect and to which all agencies are held accountable is the version found in the E-Government Act referenced above.

The FISMA Process

The Basic Steps for FISMA often follow the list shown below

1) Establish the boundaries of your information System

2) Determine the Information Types in System and Perform FIPS-199 Categorization. The following document: NIST SP 800-60 provides a catalog of information types, while FIPS-199 provides a rating methodology and a definition of the three criteria.

3) Document the system, including information such as system boundaries, information types, constituent components, responsible individuals, description of user communities, interconnections with other systems and implementation details for each security control need to be documented in the system security plan. Include details on hardware, software and services. NIST SP 800-18 Rev 1 gives guidance on documentation standards. Guidance on contingency planning can be found in NIST SP 800-34.

4) Performing Risk Assessment. Identify potential threats and vulnerabilities, and map implemented controls to individual vulnerabilities. Risk can sometimes be determined by calculating the likelihood and impact of any given vulnerability being exploited, taking into account existing controls. NIST SP 800-30 provides guidance on the risk assessment process.

5) Select and Implement a Set of Security Controls for System. Federal agencies must meet the minimum security requirements defined in FIPS 200 through the use of the security controls in NIST SP 800-53 revision 1, Recommended Security Controls for Federal Information Systems, which contains the management, operational, and technical safeguards or countermeasures prescribed for an information system.

6) Work toward certification of the system. The system needs to have its controls assessed and certified to be functioning appropriately. For systems with a FIPS-199 categorization of Low, a self assessment is sufficient for certification. For systems categorized at higher FIPS-199 levels, a certification performed by an independent 3rd party is required. NIST SP 800-53A provides guidance on the assessment methods applicable to individual controls.

7) Accreditation of System. Once a system has been certified, the security documentation package is reviewed by an accrediting official, who, if satisfied with the documentation and the results of certification, accredits the system by issuing an authorization to operate (ATO). This authorization is usually for a 3 year period, and may be contingent on additional controls or processes being implemented. NIST SP 800-37 provides guidance on the certification and accreditation of systems.

8) Continuous Monitoring. All accredited systems are required to monitor a selected set of security controls for efficacy, and the system documentation is updated to reflect changes and modifications to the system. Guidance on continuous monitoring can be found in NIST SP 800-37 and SP 800-53A.


See our FISMA Phase II entry


  • [1] NIST: FISMA Implementation Project
  • [2] FCW: Security experts fault FISMA paperwork
  • [3] GCN: Interview with Bruce Brody
  • [4] GCN: Experts: It’s time to fix FISMA


Personal tools