FAQ: What is the Federal Information Security Management Act?

The Federal Information Security Management Act aims to improve information security by requiring federal agencies to comply with standards. Learn more with this FISMA FAQ.

The Federal Information Security Management Act (FISMA) is a widely criticized provision in the E-Government Act...

of 2002, which aims to improve the government’s information security by requiring federal agencies to comply with standards and report annually on their compliance systems. Under FISMA, agencies must maintain an inventory of their information systems, deploy security controls, conduct risk assessments and certify their systems, among other things.

FISMA established a framework for information security and put the National Institute of Standards and Technology in charge of coming up with standards (Federal Information Processing Standards) for agencies to follow. NIST also issues guidance documents and recommendations for FISMA implementation.

From the beginning, the emphasis in FISMA has been on developing a risk-based policy to provide cost-effective security for the agencies. In 2003, NIST established the FISMA Implementation Project, which includes the Risk Management Framework. The framework outlines a certification and accreditation process, a set of security controls and guidelines on assessing the controls. In one of its latest documents, issued in June, NIST revised its guidelines for assessing controls to put a greater emphasis on managing risk in real time.

The Office of Management and Budget issues FISMA reporting requirements, and sends an annual report to Congress on agency compliance. Lawmakers have typically published an annual FISMA report card, comparing the grades that agencies receive.

More compliance FAQs?

Get caught up on regulations and more with our IT compliance FAQs.

Who is subject to FISMA, and what is required?

The Federal Information Security Management Act applies to agencies within the federal government. Under the act, these agencies must maintain a program that provides security for information and compliance systems that support their operations. CIOs, program officials and inspectors general at the agencies are required to conduct a yearly review of the program and submit the results to the Office of Management and Budget (OMB).

The heads of the agencies are responsible for maintaining an inventory of their information and compliance systems. The agencies have to determine what types of information they have, categorize it by the degree of harm that would result if it were compromised, and periodically conduct risk assessments. They must reduce the risk to an “acceptable” level by implementing appropriate controls, which are certified and tested periodically. They also must have plans in place to respond to security incidents and maintain continuity of operations.

Minimum security requirements and controls spelled out by NIST are considered a starting point for agencies in choosing appropriate controls. Except where the OMB says otherwise, agencies have considerable flexibility in how they apply NIST guidelines. This flexibility has led to very different security regimes at different agencies.

How have federal agencies performed with regard to FISMA requirements since the act was passed?

In general, the average grade that agencies have received over the years since FISMA was enacted has been quite low, providing fodder for critics of both the law and information security capabilities in the government. In 2005, the Department of Defense (DoD) and the Department of Homeland Security were among eight agencies that received Fs. In 2007, the average grade was a C (with five agencies, including the Department of the Treasury and the Nuclear Regulatory Commission, failing outright), up from a C- the previous year.

As NIST has pointed out, the criteria used for evaluating the effectiveness of security controls have varied widely, as have expectations and measures of success. This reality was highlighted in 2008, when reports by two separate government offices used the same FISMA data to come to very different conclusions about the law’s effectiveness.

In its 2008 FISMA report to Congress, the OMB offered a generally positive outlook, finding that most of the major federal agencies had made “incremental progress” in narrowing the gap between security performance and the established performance criteria.

Meanwhile, the Government Accountability Office (GAO), in a report titled "Information Security: Progress Reported, but Weaknesses at Federal Agencies Persist," charged that although the agencies were reporting improvements, some of their own inspectors general were calling into question the processes used. The GAO noted that most agencies had not implemented controls to adequately monitor access; agencies didn't always patch major servers in a timely way, and some did not maintain full operations continuity plans.

How does GARP improve information governance?

GARP creates a structure to manage all records in a way that supports an organization's immediate and future regulatory, legal, risk mitigation, environmental and operational requirements.

Numerous court rulings have established a legal demand that records be kept in accordance with requirements, that those records be accurate and that an organization establish accountability to ensure that the records are properly maintained. GARP provides a roadmap for organizations to follow to meet this criteria.

Today’s environment is regulation-heavy and prone to litigation. How exposed an organization is to the risk of legal sanctions and its ability to respond to audits or lawsuits is heavily dependent on how well the organization’s records and information security are managed. Establishing GARP within an organization demonstrates reasonable adherence to best practices.

The benefits of implementing GARP in an organization's information management program are realized when the organization’s records accurately and efficiently demonstrate what it has done and promote planning for the future.

The official website for ARMA International, a nonprofit organization focused on records information management.

What are the penalties for failing to comply with FISMA requirements?

Since Congress publishes the agencies’ FISMA results each year, public scorn has been one of the main penalties of noncompliance. Federal CIOs also face the risk of being called to Capitol Hill to testify if their agencies receive poor scores. Since FISMA was enacted, lawmakers have threatened to cut agency budgets if they did not improve their FISMA scores.

What do critics of the law see as its main shortcomings, and what changes to FISMA are in the works?

The criticism most often heard about the Federal Information Security Management Act is that it has led to a preoccupation with paperwork -- an emphasis on complying with a checklist of tasks -- rather than actual security improvements. The SANS Institute’s Alan Paller has been particularly vocal in this line of criticism, charging that the legislation has slowed processes at agencies, diverted resources from necessary security investments, and led to misleading reports. Critics have also grown increasingly concerned that the law does not promote awareness of threats and vulnerabilities in real time.

Lawmakers have expressed frustration with the way the law has been implemented. In October 2009, the Senate Subcommittee on Federal Financial Management, Government Information, Federal Services and International Security held a hearing, during which the OMB was taken to task. Sen. Thomas R. Carper (D-Del.), the subcommittee chairman, noted that the OMB does not track how much agencies spend on information security or whether "it actually resulted in improved security."

In the wake of the growing chorus of criticism, the OMB has made some changes to agencies’ reporting requirements. In its fiscal year 2009 report to Congress on FISMA implementation, the OMB called the original compliance metrics “lagging indicators” that did not focus on results. An OMB task force was established in September 2009 to establish new metrics focused on outcomes rather than compliance, with agencies expected to use them in their 2010 reports. Agencies were also told to report the actual amount they spend on information security. In April, the OMB released new reporting requirements that emphasize real-time system monitoring.

Cybersecurity bills, including updates to FISMA, are introduced fairly regularly, but few reach fruition. In June, Sen. Carper joined two of his colleagues in introducing the Protecting Cyberspace as a National Asset Act of 2010, which would eliminate FISMA’s manual reporting method and require agencies to move toward continuous automated monitoring.

In May, the House of Representatives passed the “Federal Information Security Management Act of 2010 (dubbed FISMA 2.0) as part of a DoD spending bill. Among other things, the legislation required the agencies to use automated monitoring and measuring tools to assess vulnerability, and to take information security into consideration when making procurement decisions.

Let us know what you think about the FAQ; email: [email protected].

Dig Deeper on Risk management and compliance