Return to Glossary

The Federal Information Security Management Act (FISMA) is United States legislation that defines a framework of guidelines and security standards to protect government information and operations. This risk management framework was signed into law as part of the Electronic Government Act of 2002, and later updated and amended.

Since 2002, FISMA's scope has widened to apply to state agencies that administer federal programs, or private businesses and service providers that hold a contract with the U.S. government. Reduced federal funding or other penalties may result from noncompliance.

The Electronic Government Act was introduced in order to improve the management of electronic government services and processes, while also managing federal spending around information security. FISMA was one of the more important regulations in the Electronic Government Act since it brought forth a method to reduce federal data security risks while emphasizing cost-effectiveness. A set of security policies were made for federal agencies to meet.

Specifically, FISMA requires federal agencies, and others it applies to, to develop, document and implement agency-wide information security programs. These programs should be able to protect sensitive data. The act also pushes some responsibilities to the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB). Agency officials, like chief information officers and inspector generals, should conduct annual reviews of an agency's information security program, reporting those reviews to OMB. OMB will then use the data to assist in its oversight responsibilities, as well as forwarding annual reports to Congress.

NIST is tasked with developing information regarding standards and guidelines, such as minimum security requirements.

Source: https://www.techtarget.com/searchsecurity/definition/Federal-Information-Security-Management-Act