FISMA Compliance

The Federal Information Security Management Act of 2002 (FISMA) required the development of mandatory information security risk management standards.

Who oversees it?

Federal Office of Management and Budget (OMB).

Who does it apply to?

Federal agencies and those who work on behalf of federal agencies, such as contractors, sub-contractors, etc.

How does it impact IT professionals?

IT professionals may be called upon to help implement information security controls for clients who work on behalf of federal agencies as contractors.

What do your clients need to be FISMA compliant?

The core component in FISMA compliances is an inventory of IT assets that includes the following information:

  • Description of the asset
  • Manufacturer
  • Model number
  • Date of purchase or lease
  • Date the asset was deployed
  • Date the last upgrade was performed
  • Record of service/maintenance requests
  • Record of customizations/modifications
  • Current disposition

In addition to the FISMA IT asset inventory, there are seven other key areas in which compliance is graded. These are:

  1. A vulnerability assessment to establish a security control baseline
  2. A risk assessment of security controls
  3. Documenting an Information Security Policy
  4. Implement and maintain security controls based on Information Security Policy
  5. Perform an audit of implemented controls to determine effectiveness
  6. Perform corrective actions as needed
  7. Monitor security controls on a continual basis


On December 18th, 2014, President Obama signed a bill reforming FISMA to modernize certain aspects of FISMA and bring it in line with a new level of oversight by the Department of Homeland Security.

There are some key changes to the Federal Information Security Modernization Act of 2014 (FISMA 2014) that you should be aware of:

  1. The new law empowers the Secretary of the Department of Homeland Security to work with the OMB Director in overseeing the implementation of agency information and security policies and procedures for federal information systems.
  2. The new law changes the scope of reporting requirements, moving away from reporting primarily on policy and financial information and adding reporting requirements for threats, security incidents, and compliance with security requirements.
  3. The new law now requires FISMA to address data breach notification requirements and ensure that such requirements are kept up-to-date and reviewed regularly.
  4. The new law requires a review of current reporting requirements to reduce or eliminate inefficient or wasteful reporting.

What are the dangers of not being FISMA compliant?

  • Censure by Congress
  • Negative publicity for the agency or organization
  • Reduced funding
  • Lost contract opportunities

Event and Audit Log Retention Requirements

In order to maintain FISMA compliance, event and audit logs must be retained for a period of three years.

FISMA Compliance Services at a Glance

MSPs can assist clients subject to the FISMA rules by assisting them in creating and deploying a written Information Security Policy that adheres to the framework laid out in the compliance requirements above.

Regularly scheduled risk assessment audits and monitoring are key features to maintaining FISMA compliance.


Related Articles:

Digital Guardians Blog

NIST 800-53