FISMA stands for the Federal Information Security Management Act, which the United States Congress passed in 2002: it requires federal agencies to implement information security plans to protect sensitive data.
FISMA compliance is data security guidance set by FISMA and the National Institute of Standards and Technology (NIST). NIST is responsible for maintaining and updating the compliance documents as directed by FISMA. More specifically, NIST:
Sets minimum requirements for information security plans and procedures.
Recommends types of security (systems, software, etc.) that agencies must implement and approves vendors.
Standardizes risk assessment process and sets varying standards of information security based on agency risk assessments. Each agency has different levels of security requirements: the National Security Agency and Housing and Urban Development, for instance, have different risk levels and therefore different security requirements.
Why was FISMA Created?
FISMA was created to require each federal agency to develop, document, and implement a complete information security plan to protect and support the operations of the agency. FISMA is one article in a larger piece of legislation called the E-Government Act, which recognizes the importance of information security to the economic and national interests of the United States.
Congress amended FISMA in 2014 in the Federal Information Security Modernization Act. The amended legislation provided several modifications to the original law that brought FISMA in line with current information security concerns. Agencies are now encouraged to use more continuous monitoring and focus on compliance than what was required in the previous legislation.
Who Needs to Follow FISMA Compliance?
Originally, FISMA only applied to federal agencies. Over time, the law has evolved to cover state agencies that manage federal programs (i.e., Medicare, Medicaid, unemployment insurance, etc.) as well as companies with contracts to work with federal agencies.
That means private sector companies that are seeking to do business with federal agencies must adhere to the same information security guidelines as the federal agency.
FISMA Compliance Benefits
Achieving FISMA compliance increases an agencies’ data security, protects citizens’ private data, and reduces IT related cost to the federal government.
Private sector companies in the current data security climate should implement FISMA compliant solutions for their own data security. Companies have to be FISMA compliant to work with federal agencies, and they get the added benefit of protecting their data from breaches.
Penalties for FISMA Compliance Violations
The loss of federal funding is one of the biggest potential penalties for FISMA compliance violations. For an agency that could be detrimental, but if you are a federal contractor that could be the end of your company.
Other non-monetary penalties could be a loss of reputation due to data breaches and bad press – or even missing out on future federal project bid opportunities. If you depend on federal funds for your company’s ongoing revenue, you need to be FISMA compliant.
Any organization – regardless of federal government involvement – will benefit from a FISMA compliance program. The EU passed GDPR, and there is new legislation in Congress today that redefines PII, and requires annual data risk reports. Privacy and data protection laws are coming to the United States, and it’s a good bet that FISMA will influence those laws. If you don’t have a data security strategy in place, you need to get planning now.
IndigoWave is a great place to start your FISMA compliance journey. We will highlight risks on sensitive data, monitor your data (one of the FISMA requirements) for potential cyberattacks, and more.
Begin your FISMA compliance journey today!