FISMA: The Federal Information Security Management Act

The Federal Information Security Management Act

The E-Government Acts of 2002 involved a large number of new regulations to implement and control the use of electronic technologies by the U.S. Government. Title III of this Act, called the Federal Information Security Management Act required all Government agencies to develop extensive information security programs.

What is the Importance of FISMA?

The Federal Information Security and Management Act deals with Information Security, which is one of the Fair Information Practice Principles. Proper protection of data does not only include the acceptable use and disclosure of the data by the agency, but also the measures taken to prevent abuse of information by other parties and to protect the status and availability of the data.

FISMA incorporates the three main components of information security:

  • Confidentiality– involves implementing the necessary restrictions and authorizations to limit access to sensitive data.
  • Integrity– involves ensuring information is authentic and preventing improper modification or destruction
  • Availability– involves the ability to readily access information and the timeliness of the information

What Does a FISMA Compliant Information Security Program Entail?

  • Periodic risk assessments must be conducted evaluating any potential harm caused by unauthorized access, use, disclosure or destruction of the data including an assessment of the magnitude of harm
  • Risk assessments are used to develop policies which are cost effective and reduce any security threats. These policies must also protect data at all stages of the life cycle
  • The efficacy of policies, procedures and security controls must be tested at least annually, with higher risk systems requiring more frequent evaluations.
  • An agency must implement a way to detect, report and respond to security violations
  • An agency must develop a continuity of operations plan to return function as quickly as possible in the event of a security incident of disruption.

What is Security Certification and Accreditation?

Security Certification and Accreditation is the official process taken to authorize the operation of an information system by an agency of the U.S. Government. By accrediting an information system, the agency accepts full responsibility for the system and will be held accountable for any negative impacts or problems that may arise.

The four phases of the Security Certification and Accreditation process:

  1. Initiation Phase– ensures all parties are on the same page regarding the information system, its contents and controls before the system is evaluated. In this phase, the information security system is prepared and the security plan is analyzed and updated for review.
  2. Security Certification Phase– evaluates security controls to make sure they are functioning correctly, that the system is operating as it should and that the information is adequately protected. In this phase, all security controls are tested documentation is created with the results.
  3. Security Accreditation Phase– the information gathered during the previous phase is used to determine if the operation of the information system presents an acceptable security risk. In this stage, the authorizing official determines whether or not an information system may become operational, and proper documentation is filed if the system is ready to become accredited.
  4. Continuous Monitoring Phase – ensures ongoing enforcement by requiring ongoing configuration and management control, monitoring of security controls and the filing of status reports and documents.

Reaccreditation occurs periodically and after significant changes in the system or environment. The Security Certification and Accreditation process is used to evaluate an individual information system and its security. It is similar to but distinct from Privacy Impact Assessments which are used to evaluate privacy protections with regard to changes in a records system. PIA and C&A evaluations for particular information systems may overlap in coverage. However, PIA are also used to evaluate privacy concerns involved with using matching programs, sharing information between agencies or when transferring data to electronic form. C&A evaluations are less frequent and more extensive and evaluate individual security systems and their related policies.

Enforcement of FISMA

Monitoring of FISMA compliance is built into the regulation through mandatory reports due to the Director of the Office of Management and Budget, and several House of Representative and Senate Committees. The report must include:

  • The information resources used by the agency
  • The information technologies used by the agency
  • The program performance
  • Financial management information including annual budgets, and accounting to determine cost effectiveness
  • Record of any significant vulnerabilities in the policies, procedures or security systems.

In 2008, OMB Memorandum 08-09, added new reporting guidelines that required each agency to report:

  • The number of each type of privacy review used by the agency during the previous fiscal year
  • Any new policies, guidance or advice provided by the agency official in charge of privacy in the past fiscal year
  • The number of written privacy complaints received in the past fiscal year
  • The number of privacy issues referred to another agency with the relevant jurisdiction in the past fiscal year

Each agency must also create a performance plan in consultation with the Director of the Office of Management and Budget regarding the time period and resources needed including budget, staffing and training to implement or continue to implement, secure FISMA compliant information security systems.

FISMA also requires annual independent evaluations of the information security programs and procedures. The evaluation is conducted by the Inspector General of the agency, if one is appointed. It one is not appointed, the head of the agency must hire an external party to evaluate the system. A report the evaluation must be submitted to the Director of the Office of Management and Budget who then summarizes the findings in the Director’s Report to Congress.


The Federal Information Security Management Act protects privacy by requiring extensive evaluations and monitoring of Government information systems to ensure data is adequately protected and operating at an acceptable level of risk.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

  • Federal Information Security Management Act (I.C.f.i-iii.)
  • The E-Government Act of 2002 including Privacy Impact Assessments (I.C.c.i.-ii.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>