Federal Information Security Modernization Act

of this report

You must have Adobe Acrobat reader to view, save, or print PDF files. The
reader is available for free

Federal Information
Security Modernization Act

by Faulkner Staff

Docid: 00011143

Publication Date: 1906

Report Type: TUTORIAL


The Federal Information Security Management Act of 2002 (FISMA) was a
living – and frequently changing – document intended to provide a
comprehensive framework for US federal government agencies to improve
security. These changes are evident in the Federal Information
Modernization Act of 2014 (Public Law 113-283). This law changes oversight
of governmental security and introduces new legislative requirements
designed to reduce the amount of reporting and inefficient activity that
was associated with the original FISMA. FISMA is designed to adapt to
changing technologies, which presents challenges for organizations wishing
to contract goods and services with the US federal government. In order to
ensure FISMA compliance, the National Institute of Standards and
Technology provides detailed guidance and recommendations.

Report Contents:

Executive Summary

[return to top of this

The Federal Information Security Management Act (FISMA) was passed as
part of the Homeland Security Act of 2002 and the E-Government Act (E-GA)
of 2002. It was further updated to become the Federal Information Security
Modernization Act of 2014. The act requires every government agency to
secure the information and information systems that support its operations
and assets, including those provided by other agencies, contractors, or
other sources. The updates to the act move the authority to administer the
implementation of those policies to the Department of Homeland Security
(DHS) and re-establish the oversight authority for the Director of the
Office of Management and Budget (OMB) with respect to agency information
security policies and practices. Since taking over authority for the act,
OMB is doing away with requirements of the original 2002 act that have
been superseded by the 2014 update.

FISMA policies are designed to protect government information systems
from being compromised by network attacks. It also serves to help federal
agencies define security baselines, embed security within IT initiatives,
and establish uniform criteria for security planning, testing, and
evaluation. Although FISMA is only applicable to the government sector,
the approach to compliance can also be useful for the private sector.

According to the USA Patriot Act (P.L. 107-56), it is necessary to
protect “systems and assets, whether physical or virtual, so vital to the
United States that the incapacity or destruction of such systems and
assets would have a debilitating impact on national security, national
economic security, national public health and safety, or any combination
of those matters.” The National Institute of Standards and Technology
(NIST) is tasked with developing the security standards and guidance
necessary for federal agencies and contractors to demonstrate compliance
with the legislation. NIST engaged in a multi-year effort to accomplish
the goals and objectives of the legislation.

  1. Phase I: Development of FISMA-related security standards and
    guidelines, which was completed by the end of 2012.
  2. Phase II: Development of a credentialing program for security
    assessment service providers. This phase began in 2007 and was also
    completed by the end of 2012.

As of this printing, NIST has developed two major FISMA security

  1. The Federal Information Processing Standard (FIPS) 199: Standards for
    Security Categorization of Federal Information and Information Systems
  2. The Federal Information Processing Standard (FIPS)
    200:Minimum-SecurityRequirements for Federal Information and Information

NIST has also developed numerous FISMA security guidance documents,


  1. FIPS Publication 199, Standards for Security Categorization of Federal
    Information and Information Systems (Final)
  2. FIPS Publication 200, Minimum Security Requirements for Federal
    Information and Federal Information Systems (Final)
  3. NIST Special Publication 800-18, (Revision 1) Guide for
    Developing Security Plans for Federal Information Systems and
    Organizations (Final)
  4. NIST Special Publication 800-30, (Revision 1) Risk
    Assessment Guideline (Completion December 2010)
  5. NIST Special Publication 800-37, Guide for the Security Certification
    and Accreditation of Federal Information Systems (Final)
  6. NIST Special Publication 800-37 (Revision 1) (Revision Cycle)
    Guide for Security Authorization of Federal Information Systems: A
    Security Life Cycle Approach (Completion June 2009)
  7. NIST Special Publication 800-39, Managing Information Security Risk:
    Organization, Mission, and Information System View (Final)
  8. NIST Special Publication 800-53 (Revision 4) Security and
    Privacy Controls for Federal Information Systems and Organizations
  9. NIST Special Publication 800-53, (Revision 3) Recommended
    Security Controls for Federal Information Systems (Final)
  10. NIST Special Publication 800-53A (Revision 1), Guide for
    Assessing the Security Controls in Federal Information Systems and
    Organizations, Building Effective Security Assessment Plans (Final)
  11. NIST Special Publication 800-59, Guideline for Identifying an
    Information System as a National Security System (Final)
  12. NIST Special Publication 800-60, (Revision 1) Guide for
    Mapping Types of Information and Information Systems to Security
    Categories (Final)
  13. NIST Special Publication 800-128 Guide for Security-Focused
    Configuration Management of Information Systems (Final)
  14. NIST Special Publication 800-137 Information Security Continuous
    Monitoring for Federal Information Systems and Organizations (Final)


  1. NISTIR 7328. Security Assessment Provider Requirements and Customer
    Responsibilities; Building a Security Assessment Credentialing Program
    (Revision Cycle)
  2. FAQs and QSGs (Quick Start Guides) for Risk Management Framework
    Steps: Categorize, Select, Implement, Assess, Authorize, Monitor;
    Training Module
  3. On-line Course Available: Applying the Risk Management Framework
    to Federal Information Systems

NIST has developed a FISMA Risk Management Framework designed to do the

  • Categorize the information system along with the information
    processed, stored, and transmitted by that system based upon impact
  • Select an initial set of baseline security controls for the
    information system based on the security categorization; tailoring and
    supplementing the security control baseline as needed based on
    organization assessment of risk and local conditions.
  • Implement the security controls and document how the controls are
    deployed within the information system and environment of operation.
  • Assess the security controls using appropriate procedures to determine
    the extent to which the controls are implemented correctly, operating as
    intended, and producing the desired outcome with respect to meeting the
    security requirements for the system.
  • Authorize information system operation based upon a determination of
    the risk to organizational operations and assets, individuals, other
    organizations and the Nation resulting from the operation of the
    information system and the decision that this risk is acceptable.
  • Monitor and assess selected security controls in the information
    system on an ongoing basis including assessing security control
    effectiveness, documenting changes to the system or environment of
    operation, conducting security impact analyses of the associated
    changes, and reporting the security state of the system to appropriate
    organizational officials.

Additional changes to FISMA 2014 include:

  • Requires for DHS to develop and oversee implementation of operational
    directives requiring agencies to implement the OMB’s standards and
    guidelines for safeguarding federal information and systems from a known
    or reasonably suspected information security threat, vulnerability, or
    risk. Authorizes the OMB to revise or repeal operational directives that
    are not in accordance with the OMB’s policies.
  • Requires DHS to ensure the operation of the Federal Information
    Security Incident Center (FISIC).
  • Directs DHS to administer procedures to deploy technology, upon
    request by an agency, to assist the agency to continuously diagnose and
    mitigate against cyber threats and vulnerabilities.
  • Requires the OMB’s annual report to Congress regarding the
    effectiveness of information security policies to assess agency
    compliance with OMB data breach notification procedures.
  • Provides for OMB’s information security authorities to be delegated to
    the Director of National Intelligence (DNI) for certain systems operated
    by an element of the intelligence community.
  • Directs DHS to consult with and consider guidance developed by the
    National Institute of Standards and Technology (NIST) to ensure that
    operational directives do not conflict with NIST information security
  • Directs agency heads to ensure that:
    • Information security management processes are integrated with
      budgetary planning;
    • Senior agency officials, including chief information officers,
      carry out their information security responsibilities; and
    • All personnel are held accountable for complying with the
      agency-wide information security program.
  • Provides for the use of automated tools in agencies’ information
    security programs, including for periodic risk assessments, testing of
    security procedures, and detecting, reporting, and responding to
    security incidents.
  • Requires agencies to include offices of general counsel as recipients
    of security incident notices. Requires agencies to notify Congress of
    major security incidents within seven days after there is a reasonable
    basis to conclude that a major incident has occurred.
  • Directs agencies to submit an annual report regarding major incidents
    to OMB, DHS, Congress, and the Comptroller General (GAO). Requires such
    reports to include:

    • Threats and threat actors, vulnerabilities, and impacts;
    • Risk assessments of affected systems before, and the status of
      compliance of the systems at the time of, major incidents;
    • Detection, response, and remediation actions;
    • The total number of incidents; and
    • A description of the number of individuals affected by, and the
      information exposed by, major incidents involving a breach of
      personally identifiable information.
  • Authorizes Government Accountability Office (GAO) to provide technical
    assistance to agencies and inspectors general, including by testing
    information security controls and procedures.
  • Requires OMB to ensure the development of guidance for:
    • Evaluating the effectiveness of information security programs and
      practices, and
    • Determining what constitutes a major incident.
  • Directs FISIC to provide agencies with intelligence about cyber
    threats, vulnerabilities, and incidents for risk assessments.
  • Directs OMB, during the two-year period after enactment of this Act,
    to include in an annual report to Congress an assessment of the adoption
    by agencies of continuous diagnostics technologies and other advanced
    security tools.
  • Requires OMB to ensure that data breach notification policies require
    agencies, after discovering an unauthorized acquisition or access, to

    • Congress within 30 days, and
    • Affected individuals as expeditiously as practicable. Allows the
      Attorney General, heads of elements of the intelligence community,
      or the DHS Secretary to delay notice to affected individuals for
      purposes of law enforcement investigations, national security, or
      security remediation actions.
  • Requires OMB to amend or revise OMB Circular A-130 to eliminate
    inefficient and wasteful reporting.
  • Directs the Information Security and Privacy Advisory Board to advise
    and provide annual reports to DHS.

NIST publications are roadmaps that federal agencies can use to ensure
security practices are enforced. Federal Information Processing Standards
(FIPS), however, must be implemented exactly as they are written with no
agency interpretation allowed. And all federal agencies must follow the
published NIST standards and guidelines.


[return to top of this

The legislation (Public Law 107-347, Title III) states that “each federal
agency shall develop, document, and implement an agency-wide information
security program to provide information security for the information and
information systems that support the operations and assets of the agency,
including those provided or managed by another agency, contractor, or
other source.”

The specific objectives of the legislation are to:

  • Provide a comprehensive framework to ensure that effective security
    controls are placed over the information systems that support federal
  • Recognize the complexity of the IT environment in federal agencies and
    ensure the effective management of information security risks.
  • Require the development and maintenance of minimum controls for the
    protection of federal information systems.
  • Provide a mechanism for improved oversight of information security
  • Acknowledge that commercially developed information security solutions
    are available for the protection of critical information
  • Recognize that each federal agency should be able to make individual
    selections of specific hardware and software pertaining to information

All agencies required to comply with the Paperwork Reduction Act (PRA)
(PRA 44 USC 3501-3520) must implement the requirements of FISMA and report
both quarterly and annually to the Office of Management and Budget (OMB),
which acts as FISMA’s oversight body as well as to Congress on the
effectiveness of their information security policies, procedures, and

Agencies are required to report any significant deficiencies in these
areas in order to track key IT security weaknesses. Additionally, it is
mandatory that all agencies implement processes to measure IT security

To meet reporting requirements, every year, the Chief Information
Officers (CIOs), Chief Information Security Officers (CISOs), and agency
Inspectors General at the 24 largest federal agencies are asked to answer
questions concerning the processes and policies they use to secure federal
computer systems and comply with FISMA. The questions roughly fall into
one of seven categories, including the following:

Annual Testing

  • What percentage of agency programs and systems has the CIO and/or
    agency Inspectors General reviewed this year for security
  • Describe the degree to which agency program officials and the agency
    CIO have used appropriate methods in the past fiscal year to ensure that
    contractor or agency provided services are adequately secure and meet
    policy requirements.
  • Describe the degree to which the agency used NIST’s self-assessment
    guide or equivalent methodology this year to conduct security reviews.
  • Has the agency appointed senior information security officer who
    reports directly to the CIO?

Plan of Action and Milestones

  • Has the agency developed a Plans of Action and Milestones (POA&M)
    for each significant security deficiency identified in the past fiscal
  • Has the agency developed, implemented, and managed an agency-wide
    POA&M process that includes incorporating known IT security
    weaknesses into the POA&M?

Certification & Accreditation

  • What percent of systems has been certified and accredited, has
    integrated the costs of security controls into the systems’ lifecycles,
    has been tested for security controls in the past fiscal year, and has a
    contingency plan that has been tested in the past fiscal year?
  • Has the agency integrated its information and information technology
    security program with its critical infrastructure protection
    responsibilities and other security programs (e.g., continuity of
    operations, and physical and operational security)?

Configuration Management

  • Has the CIO implemented agency-wide policies that require detailed
    security configurations?
  • What percentage of systems have received these configurations for
    programs such as Microsoft Windows variations, Solaris, HP, Linux, Cisco
    routers, Oracle, and others?

Incident Detection and Response

  • Does the agency have documented policies and procedures for reporting
    security incidents internally, to law enforcement authorities, and to
    the US Computer Emergency Readiness Team (US-CERT)?
  • What percentage of systems has undergone vulnerability scans and
    penetration tests in the past fiscal year?


  • Has the agency CIO ensured security training and awareness of all
    agency employees, including contractors and those employees with
    significant IT security responsibilities?


  • Has the CIO created an inventory of agency systems and updated it
    annually, including reaching an agreement with the Inspector General on
    the number of programs, systems, and contractor operations?

NIST has created FISMA implementation tips that can help federal agencies
perform a successful implementation, including:

  • Conduct FIPS 199 impact analyses as a corporate-wide exercise with the
    participation of key officials (e.g., Chief Information Officer, Senior
    Agency Information Security Officer, Authorizing Officials, and System
  • Conduct the selection of common security controls (i.e., agency
    infrastructure-related controls or controls for common hardware/software
    platforms) as a corporate-wide exercise with the participation of key
    officials (e.g., Chief Information Officer, Senior Agency Information
    Security Officer, Authorizing Officials, and System Owners).
  • For each security control baseline (low, moderate, or high) identified
    in NIST Special Publication 800-53, apply the tailoring guidance to
    adjust set of controls to meet the specific operational requirements of
    the agency.
  • For each tailored security control baseline, supplement the security
    controls with additional controls and/or control enhancements based on
    the results of an organizational assessment of risk.

In addition, the Continuous Diagnostics and Mitigation (CDM) program,
developed by the Department of Homeland Security (DHS) is designed to
support FISMA efforts through a six-phase process, designed to be executed
within 72 hours.

  1. Install/Update Sensors: To determine what exists on a
  2. Automated Search for Flaw: To highlight weaknesses.
  3. Collect Results from Departments and Agencies: To
    gather all data into one place, allowing for a singular view.
  4. Triage and Analyze Results: To determine a course of
    action for response and protection.
  5. Fix Worst First: To repair vital risks immediately.
  6. Report Progress: To share results under FISMA and
    other cybersecurity requirements.

The program is designed to be an ongoing program that is supported by
changes to technology acquisition requirements to help agencies move to
modernized levels of security.

Current View

[return to top of this

Information security plays an integral role in the overall operations of
agencies that meet FISMA compliance standards. The Paperwork Reduction Act
effectively moved the federal government from a paper-based system to one
that has different requirements for information security. Each specific
agency is responsible for the identification and implementation of
security controls that pertain to it. This is done in collaboration with
the CIO, authorizing officials, information system owners, system security
managers, and system security officers. Therefore, every federal CIO is
responsible for ensuring the security of information within their agency
and they usually do so with the advice of their agency CISO.

Every year, the House Government Reform Committee generates its Federal
Information Security Report Card. The grades are primarily based on
reports submitted by agencies to the OMB through FISMA.

The Federal Audit Executive Council has established a FISMA Working Group
for the Inspector General’s community in an attempt to promote interagency
coordination of information security and evaluation requirements
established by FISMA. Their goal is to provide FISMA training and update
conferences, offer a forum for lessons learned, and to coordinate issues
and initiatives that cross agency lines.

The private sector is responding as well. In an attempt to meet the needs
of federal agencies, some commercial vendors are supplying tools that
purport to help. Symantec, for example, offers its Symantec Enterprise
Security Manager as well as its Control Compliance Suite, which provide
specific, pre-configured security policies, intended to allow government
agencies to audit their environments for compliance. The package performs
more than 2,000 different security and vulnerability checks to measure
whether systems and applications are configured properly, and attempts to
discover un-patched vulnerabilities in an attempt to contain and
re-mediate them.

To be sure, FISMA compliance is rife with pitfalls. Newer technologies
pose challenges for all users, not just federal agencies. Inspectors
generally find it difficult to keep up with technological changes – they
are after all inspectors and auditors and not technicians or
technologists. The need to ensure that contractors and other providers are
compliant with FISMA presents agencies with an additional burden outside
of the tasks they currently have internally.

There are a lot of critics of FISMA. Many lawmakers say that FISMA wastes
time and money, since officials are required to fill out tedious reports
to ensure their agencies are compliant. In 2010, legislation was
introduced that would provide a refresh of FISMA. Part of the bill, H.R.
4900, recommends that a permanent official be named by the President to a
position that oversees cybersecurity compliance. The government has taken
a few steps to automate FISMA: agencies have been instructed to stop
sending paper-based reports and now will begin submitting reports
electronically via secure monitoring systems.

Reform bills for existing FISMA standards were introduced and adopted
during 2012, as well. These bills are designed to move FISMA from being a
check-list type program to being a risk-based program that is agile enough
to respond to a real threat in real time. Under the bill, each department
secretary and agency director is held accountable for their organization’s
IT security. Although most federal agencies have chief information
security officers to coordinate IT security activities, the new
FISMA legislation requires them to have CISOs to develop,
implement and oversee agency-wide IT security programs. The bill also
requires each CISO to have the “necessary qualifications” that include
education, training, experience and security clearance.

The Federal Information Security Amendments Act of 2013 was introduced in
April of 2013 to “reestablish the oversight authority of the Director of
the Office of Management and Budget (OMB) with respect to agency
information and security policies and practices.” This amendment extends
the security requirements of federal agencies to include responsibilities

  1. Complying with computer standards developed by NIST.
  2. Ensuring complementary and uniform standards for information systems
    and national security systems.
  3. Ensuring that information security management processes are integrated
    with budget processes.
  4. Securing facilities for classified information.
  5. Maintaining sufficient personnel with security clearances.
  6. Ensuring that information security performance indicators are included
    in the annual performance evaluations of all managers, senior managers,
    senior executive service personnel, and political appointees.


[return to top of this

Government agencies required to comply with FISMA compliance should use
the National Institute of Standards and Technologies for guidance on
control frameworks, security categorization, and asset clarification.

Government contractors, particularly those responsible for managing
federal information systems and their associated data, need to be
attentive to the requirements under FISMA because in the long run if the
agency fails FISMA compliance and a contractor is heavily involved in
providing day-to-day support, the contractor fails as well.

State and local agencies that use federal information systems also need
to be compliant with FISMA. In fact, all organizations which possess or
use federal information or which operate, use, or have access to federal
information systems on behalf of a federal agency must comply.

Additionally, equipment suppliers and other vendors may also be required
to comply. FISMA applies to federal information, as well as information
systems and in certain limited circumstances its requirements also apply
to a specific class of information technology, i.e., “equipment that is
acquired by a Federal contractor incidental to a Federal contract.” In
these cases when federal information is used within incidentally acquired
equipment, the agency is responsible for ensuring that FISMA requirements
are met. That burden will then fall on the supplier to meet their end of
the bargain.

In the end, in addition to federal agencies, contractors, and other
sources should test their own organizations against FISMA reporting
requirements, become familiar with, and comply with NIST publications and

[return to top of this

[return to top of this