What is a FISMA report?

Posted on by Mary Andersen

What is a FISMA report?

Federal Information Security Modernization Act of 2014 (FISMA), dating back to 2002, requires agencies to report the status of their information security programs to OMB and requires Inspectors General (IG) to conduct annual independent assessments of those programs.

What does it mean to be FISMA compliant?

FISMA is U.S. government legislation that defines a comprehensive framework to protect government information, operations, and assets against threats. Signed into law in 2002 and updated in 2014, FISMA requires that federal systems meet a set level of security requirements (also known as “controls”).

Who is responsible for FISMA compliance?

The Department of Homeland Security which is responsible for administering the implementation of programs created by NIST in order to secure federal information system security.

What is required to be FISMA?

What does FISMA require? Federal agencies need to provide information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of: information collected/maintained by or on behalf of an agency.

Who is required to be FISMA compliant?

Now, any private sector company that has a contractual relationship with the government, whether to provide services, support a federal program, or receive grant money, must comply with FISMA.

What is FISMA and FedRAMP?

FedRAMP is a security certification for CSPs that provide cloud services to federal agencies. FISMA is a related certification that requires federal agencies and contractors to meet information security standards.

Does FISMA apply to national security systems?

FISMA security requirements also apply to contractors who run information systems on behalf of an agency. The act exempts national security systems (NSS) from its requirements, except with respect to enforcement of accountability by agencies for meeting requirements, and reporting to Congress.

How do you become FISMA compliant?

How Do I Become FISMA Compliant?

  1. Risk Assessments: Any time an agency makes a change to their systems, they are required to perform a three tiered risk assessment using the Risk Management Framework (RMF).
  2. Certification and Accreditation: FISMA requires each agency to conduct yearly security reviews.

Can personal information be shared without consent?

Ask for consent to share information unless there is a compelling reason for not doing so. Information can be shared without consent if it is justified in the public interest or required by law. Do not delay disclosing information to obtain consent if that might put children or young people at risk of significant harm.