Request a
Consultation
FISMA hero image federal American eagle

FISMA Cybersecurity Compliance

FISMA requires federal agencies and their contractors to develop, document, and implement an information security program for the information and systems that support and protect its operations and assets.

The Federal Information Security Modernization Act (FISMA), first passed in 2002 and amended in 2014, applies to unclassified federal information and information systems used by federal agencies or contractors working with federal agencies. 

Federal Information Security Modernization Act (FISMA)

FISMA requires protections against the unauthorized access, use, disclosure, modification, or destruction of information that an agency collects or maintains or that is collected or maintained on behalf of any agency. FISMA also requires the National Institute of Standards and Technology (NIST) to establish minimum security requirements

As part of the larger Electronic Government Act of 2002, FISMA was initially called the Federal Information Security Management Act of 2002; it was later amended and renamed the Federal Information Security Modernization Act of 2014. 

Agencies and contractors have to submit a FISMA security authorization package to show they are compliant; it includes a FIPS 199 security categorization worksheet, privacy threshold assessment/privacy impact assessment, system security plan, security assessment plan, security assessment report, and supporting documents (i.e., information security policies, rules of behavior, IT contingency plan, confirmation management plan, and incident response plan).

Cerberus Sentinel’s FISMA compliance experts solution can assist organizations with undergoing the security authorization and assessment process and annual continuous monitoring requirements necessary to maintain FISMA compliance. 

Security controls and assessments are based on NIST Special Publications (SP) 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, and the security authorization must be consistent with NIST SP 800-37, Risk Management Framework for Information systems and Organizations: A System Life Cycle Approach for Security and Privacy.

FISMA also relies on several other NIST SPs, most notably: 800-30, Guide for Conducting Risk Assessments, 800-34, Contingency Planning Guide for Federal Information Systems, 800-39, Managing Information Security Risk, 800-60, Mapping Information Types to Security Categories, 800-128, Security Focused Configuration Management, and 800-137, Information Security Continuous Monitoring.

FISMA also made meeting Federal Information Processing Standards (FIPS) 199 – Standards for Security Categorization and FIPS 200 – Minimum Security Requirements mandatory for federal organizations and contractors working with agencies. The NIST 800-37’s RMF is key to categorizing and selecting FIPS 199 and FIPS 200 controls.

Get Started with Cerberus Sentinel

Start protecting your business and reduce risk and exposure.