Federal Information Security Management Act (FISMA)

The Federal Information Security Management Act is a US law that establishes cybersecurity requirements for federal agencies and their information systems.

Enacted in 2002 and updated in 2014 (FISMA 2014), this legislation mandates that federal agencies develop, document, and implement comprehensive information security programs to protect government data and systems.

FISMA requires agencies to conduct regular risk assessments, implement security controls based on NIST guidelines, and undergo periodic security audits. The law also establishes the role of Chief Information Security Officers within agencies and requires annual reporting to Congress on cybersecurity posture. Additionally, FISMA extends security requirements to contractors and third parties that handle federal information systems.

The act emphasizes a risk-based approach to cybersecurity, requiring agencies to categorize their information systems by impact level (low, moderate, or high) and implement appropriate security controls accordingly. FISMA compliance involves continuous monitoring, incident response planning, and regular security training for personnel. While primarily governing federal agencies, FISMA's framework has influenced cybersecurity practices across many industries and serves as a foundation for other security frameworks and regulations.