Definition
The Federal Information Security Modernization Act (FISMA) of 2014 (updating the Federal Information Security Management Act of 2002) establishes a framework for securing federal information and information systems. FISMA requires agencies to develop, document, and implement information security programs; conduct annual security assessments; and report security status to OMB. FISMA applies to federal agencies and contractors operating systems on behalf of agencies or connecting to federal systems. Key FISMA requirements include risk management following NIST guidelines, security control implementation based on system categorization, continuous monitoring, incident response, and security awareness training. FISMA compliance is evaluated through annual FISMA audits, and non-compliance can affect agency funding and contractor eligibility.
Also Known As
- Federal Information Security Act
- FISMA Compliance
Examples
Common Mistakes to Avoid
- ✕Treating FISMA as one-time compliance rather than ongoing program
- ✕Not understanding that FISMA requirements flow down to contractors
- ✕Confusing FISMA (law) with NIST (guidance implementing the law)
Who Should Know This Term
Federal IT managers, agency CISOs, contractor security teams, system administrators
Official Source
44 U.S.C. 3551-3558