What is FISMA and How Does it Work?
The Federal Information Security Management Act (FISMA) is a 2002 United States law that outlines steps and guidelines to follow to reduce security risks to federal data. FISMA applies to all U.S. federal agencies, some state agencies, and any private sector organizations that have a contract with the U.S. government. Additionally, both the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) have specific duties outlined in FISMA.
FISMA was created to establish requirements for the development, documentation, and implementation of data security plans and processes. Essentially, it builds out a data security framework for how to collect and process information within all federal agencies, state agencies that manage federal programs, and contractors with the U.S. government, regardless of the sensitivity of that information. Further, it provides guidance on how to assess risks, delineate security controls, and document and track changes to information systems, security systems, and accreditation status.
Updates to FISMA
The Federal Information Security Modernization Act of 2014 – also known as FISMA2014 or FISMA Reform – amended the original FISMA in a way that makes it easier for agencies to respond to cyber-attacks. It was appended to the original FISMA in December of 2014.
Annual Reviews Required by FISMA
Every year, all agencies must conduct annual reviews of their data security programs. After the reviews are complete, the OMB reports on agency compliance to Congress.
Related Reading: How to Help Ensure Compliance with Data Privacy Laws
How to Achieve FISMA Compliance
FISMA compliance is as easy as implementing information security controls within your organization that meet or exceed the guidance outlined by both NIST and FISMA itself.
The FISMA framework for managing data security must be followed for all information systems used by applicable parties. FISMA guidelines cover topics including:
- Information system inventory: Agencies must develop and maintain an inventory of information systems.
- Risk categorization: All information systems and data collected should be categorized based on how sensitive it is, and what level of security it requires. FIPS 199, “Standards for Security Categorization of Federal Information and Information Systems” outlines different security categories.
- System security plan: Agencies should develop both a policy on creating and updating their system security planning process, and develop the living policy document as well.
- Security controls: Organizations must meet minimum security requirements as described in FIPS 200, “Minimum Security Requirements for Federal Information and Information Systems”.
- Risk assessments: Agencies must review the risk (i.e., threats and vulnerabilities) associated with the security controls they select and then determine whether more controls are needed.
- Certification and accreditation: After each of the previous steps are completed and in place, the full system’s controls must be reviewed and certified. If they are functioning appropriately, the information system will be accredited.
- Continuous monitoring: Once accredited, all systems must monitor a pre-selected set of security controls. Any change to the system should result in documentation, and large changes should restart the risk assessment processes and potentially lead to re-certification.
Related Reading: How to Create a Cybersecurity Policy for Your Organization
Ensuring that the data you collect, process, and share is secure both within your information systems and during and transfers to external agencies or organizations is one of the first steps you can take to meet FISMA compliance requirements.
Penalties for FISMA Non-Compliance
FISMA is enforced by the OMB, which also has a hand in determining whether parties are meeting the conditions set out by FISMA. Failure to meet FISMA requirements can result in the loss of federal funding, government hearings, or indirect consequences such as reputational damage.
Ensure Your Files Transfers are FISMA Compliant
Prevent data breaches, avoid fines, and reduce your risk of public distrust when you take steps to ensure your processes meet data security compliance requirements. Meet the FISMA mandate to create, document, and implement an information system and data security plan by implementing a secure data transfer and storage system such as GoAnywhere Managed File Transfer (MFT). GoAnywhere helps organizations meet FISMA requirements with data security and encryption features including:
- NIST-certified FIPS 140-2 Validated Cryptography
- User authentication and role-based access and restrictions
- Centralized file transfer processes, including connections to popular web-based applications and the tools you use every day
- Automation features to schedule future data movements and run recurring file transfers
- Data monitoring and audit features to track file movement, user access, and more
Learn how GoAnywhere MFT can help your organization achieve or improve your FISMA compliance, including FIPS 200 and NIST Special Publication 800-53 Information Security Standards and Guidelines in our datasheet Simplified, Secure, and Automated Managed File Transfer Solutions for FISMA.
View the Datasheet