Skip to content Skip to navigation Skip to footer

What Is FISMA?

FISMA Overview

The Federal Information Security Management Act (FISMA) was passed by the United States Congress in 2002. It dictates that federal agencies incorporate information security measures designed for the protection of sensitive data. The compliance standards are set by both the National Institute of Standards and Technology (NIST) and FISMA

The NIST is responsible for keeping the compliance documents up to date and ensuring they protect information adequately, include appropriate risk assessment measures, and set forth the security measures necessary to establish a minimum level of protection for sensitive data.

Why Was FISMA Created?

FISMA was created to make sure federal agencies design, document, and apply comprehensive security plans to safeguard and support the safe operation of each agency. In this way, FISMA is similar to the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), the Federal Risk and Authorization Management Program (FedRAMP), and the Sarbanes-Oxley Act (SOX)—all of which protect the general public from information security dangers.

Who Needs To Follow FISMA Compliance?

FISMA, at first, was designed to only apply to federal agencies. As time went on, it changed and expanded, covering state agencies charged with the management of federal programs, such as Medicaid, Medicare, and unemployment insurance. FISMA also applies to private companies that have contracts with federal agencies. 

FISMA Compliance Requirements

Information System Inventory

To remain in compliance, an agency has to keep an inventory of all its systems and how they tie in to the agency’s work.

Risk Categorization

The way in which an agency categorizes its security and risk requirements is documented in the Federal Information Processing Standards (FIPS) 199. Every agency has the responsibility of maintaining the highest level of security as outlined in this document.

System Security Plan

Each agency, to remain in compliance, must develop a security plan—and a process that ensures it is regularly updated.

Security Controls

There are 20 security controls outlined in NIST 800-53. Every agency must implement them to remain in compliance.

Risk Assessments

If an agency alters their systems., they have to re-assess their risk according to a three-tier system, as described in the NIST’s Risk Management Framework (RMF).

Certification and Accreditation

To remain in compliance with FISMA, every agency must conduct security reviews at least once a year. They then must show that they can put the measures in place, maintain them, and monitor the relevant systems.

FISMA Compliance Best Practices

1. Classify Information as It Is Created

All information must be classified to help those in charge of its management assess which standards apply to it. In this way, they can decide how to make sure the organization remains in compliance.

2. Automatically Encrypt Sensitive Data

All sensitive data must be encrypted by default. This is so you can eliminate the potentially time-consuming step of retroactively securing FISMA-relevant data.

3. Maintain Written Evidence of FISMA Compliance

As with all compliance measures, it is important to both show and prove. Maintaining written evidence is useful in the event of a FISMA audit or investigation, as well as for training others regarding compliance standards.

4. Stay Current with Any Changes To the FISMA Standards

It is crucial to stay current with any adjustments or additions to FISMA standards, not only to remain in compliance but also for the security of your organization’s information systems. To accomplish this, it will be helpful to focus on:

  1. Making updates according to recent information from the NIST’s RMF
  2. Maintaining the privacy and protection of data
  3. Implementing security best practices

FISMA Compliance: Violations and Penalties

One of the most impactful penalties for lack of FISMA compliance for a private company is losing federal funding. This can happen as soon as a FISMA-related breach has been identified and proven by an investigating authority. The penalties for government employees include losing employment and censure, which is a type of public condemnation.

How Fortinet Can Help

FortiSIEM, the Fortinet security information and event management solution (SIEM), provides organizations with next-generation SIEM. FortiSIEM can keep you in compliance with FISMA regulations because it combines full visibility into your system and its connected components, automated responses, and remediation measures meant to identify and handle threats as they arise. 

With FortiSIEM, you can leverage the visibility it affords your IT team in identifying vulnerabilities caused by both humans and insufficient digital security—and then act accordingly. Further, FortiSIEM can respond automatically to threats that can result in your organization falling out of FISMA compliance.

Learn more about IT Operations (ITOps) and IT Security Policies.


What is FISMA compliance?

The Federal Information Security Management Act (FISMA) dictates that federal agencies incorporate information security measures designed for the protection of sensitive data. The compliance standards are set by both the National Institute of Standards and Technology (NIST) and FISMA. To remain in compliance, an organization that works with a government agency must implement these standards.

What is the difference between FISMA and FedRAMP?

While both FISMA and the Federal Risk and Authorization Management Program (FedRAMP) deal with cybersecurity, FedRAMP focuses on helping government agencies choose safe, reliable cloud services. Once a cloud provider has received FedRAMP approval, it is deemed safe for a government agency to use.

Who uses FISMA?

All government agencies at the federal level use FISMA, as well as state agencies responsible for managing programs sponsored by the federal government. In addition, private companies that partner with government agencies also have to use FISMA.

What are the FISMA requirements?

The FISMA requirements are outlined by the NIST and FISMA. They describe how an organization can protect sensitive data.

What is a FISMA audit?

A FISMA audit uses NIST Special Publication 800-53 as a framework for making sure an organization is compliant with FISMA requirements. During the audit, an organization's systems and procedures will be examined to determine how well they manage information access and how data is used, disclosed, disrupted, modified, or destroyed.