What is FISMA compliance?

Here are some items included in Federal Information Systems Management Act (FISMA):

• The setting of minimum requirements concerning information and data security plans, procedures, and practices

• The recommendations of specific types of security in the form of systems, software programs and applications, and other technology that government agencies must implement from approved vendors

• Creates standardized risk assessment processes and sets a variety of standards for data and information security based on agency risk assessments

FISMA was developed and created for the purpose of having every federal agency develop, record and document, and implement data and information security plans that are meant to support and protect the operations and objectives of each agency.

FISMA is one article of legislation or one law, that is included in a larger piece of legislation named the E-Government Act. This act was created to recognize the imperative of data and information security to the national and economic health and interests of the United States.

Initially, FISMA only applied to federal government agencies, but over time the legislation has developed to cover some state agencies and companies that contract with the federal government, that participate in the management of government programs, such as:

• Medicare

• Medicaid

• Unemployment Insurance

This means that any private sector organization that works or does business with federal agencies must comply with the same information and data security laws, guidelines, and regulations as the federal agencies must.

Here are some more specific FISMA requirements:

• Information security inventory systems

• Risk categorization

• System security plans

• Security controls

• Risk assessments

• Certification and Accreditation