What is FISMA Compliance?

Signed into law in 2002, the Federal Information Security Management Act (FISMA) establishes a set of security guidelines that help to reduce the security risk to federal data. FISMA regulations apply to all agencies within the U.S. federal government, some state agencies and any private sector organization in a contractual relationship with the government. The National Institute of Standards and Technology (NIST) is the agency named responsible for developing the security standards and guidelines necessary for FISMA implementation.

Compliance Requirements:

FISMA guidelines cover the topics of information system inventory, risk categorization, system security plan, security controls, risk assessments, certification and accreditation and continuous monitoring.

One of the most popular and robust NIST publications set forth in accordance with FISMA is NIST SP 800-53, “Recommended Security Controls for Federal Information Systems and Organizations.” This publication is used by organizations subject to FISMA regulations for establishing and maintaining best practices regarding information security.

Evaluation of compliance is reported annually to the Office of Management and Budget (OMB), and each agency’s FISMA Report Card is available to the public. Penalties for non-compliance includes censure (public reprimand) by congress, reduction in federal funding and negative publicity stemming from the public FISMA Report Card, congressional censure and subsequent media coverage.

Managed File Transfer and FISMA:

Ensuring that file transfers performed under the guidelines of FISMA are secure is an essential step towards FISMA and NIST compliance. Several of the NIST SP 800-53 controls can be addressed through the GoAnywhere managed file transfer solution, which include:

  • Data protection and encryption during file transfer processes
  • Access control to limit data access to only those necessary
  • Auditing and reporting to efficiently provide data needed for annual FISMA audits

"Because GoAnywhere was so simple to implement and configure and the documentation was more than sufficient, we saved the additional costs of implementation services. The competing solutions required weeks to implement. GoAnywhere was fully installed, tested and put into production in a few days."