Federal Information Security Modernization Act (FISMA)

The Federal Information Security Modernization Act (FISMA) establishes the statutory framework governing information security programs across United States federal agencies and their contractors. Originally enacted as part of the E-Government Act of 2002 and substantially updated by the Federal Information Security Modernization Act of 2014 (44 U.S.C. §§ 3551–3558), FISMA defines mandatory requirements for risk management, continuous monitoring, and annual reporting that apply to all federal information systems. Understanding where FISMA applies — and where it stops — is foundational for any organization operating under a federal contract, grant, or interagency agreement.

Definition and scope

FISMA places legal responsibility on the head of each federal agency to implement an agency-wide information security program. The Act covers all federal information systems, defined as systems operated by or on behalf of a federal agency — including contractor-operated systems that process, store, or transmit federal data (NIST SP 800-37 Rev. 2, §1.1).

The scope extends to:

1. Executive branch civilian agencies — subject to oversight by the Office of Management and Budget (OMB) and the Department of Homeland Security (DHS).
2. National security systems — separately governed under the Committee on National Security Systems (CNSS) and largely exempted from standard FISMA metrics.
3. Contractors and third parties — entities that operate systems on behalf of a covered agency inherit FISMA obligations through contract clauses referencing Federal Acquisition Regulation (FAR) subpart 39.1 and agency-specific supplements.

FISMA explicitly excludes systems operated by the Department of Defense and intelligence community under separate statutory authority, though those entities implement equivalent risk management programs.

Professionals navigating FISMA compliance requirements can consult the security providers on this provider network for qualified service providers operating in the federal sector.

How it works

FISMA compliance operates through a structured cycle administered primarily by NIST, OMB, and DHS. The practical execution follows the NIST Risk Management Framework (RMF), codified in NIST SP 800-37 Rev. 2, which defines six discrete phases:

1. Categorize — Systems are categorized by impact level (Low, Moderate, High) using FIPS Publication 199 standards for confidentiality, integrity, and availability.
2. Select — Security controls are selected from NIST SP 800-53 Rev. 5, which catalogs 20 control families covering areas from access control to supply chain risk management.
3. Implement — Selected controls are deployed and documented in a System Security Plan (SSP).
4. Assess — An independent assessor evaluates whether controls are implemented correctly, following NIST SP 800-53A Rev. 5 assessment procedures.
5. Authorize — An Authorizing Official (AO) reviews the risk posture and issues an Authority to Operate (ATO), a provisional ATO, or a denial.
6. Monitor — Continuous monitoring programs track control effectiveness, with findings reported through DHS's Continuous Diagnostics and Mitigation (CDM) program and annual Inspector General (IG) assessments submitted to OMB.

OMB Circular A-130, Managing Information as a Strategic Resource, reinforces these obligations and requires agencies to integrate privacy and security planning.

The annual FISMA reporting cycle requires agencies to submit metrics to OMB and DHS by a date specified each fiscal year. Congress receives a consolidated report through OMB, providing a government-wide view of federal cybersecurity posture.

Common scenarios

Federal agency internal systems — A civilian agency deploying a new human resources platform must complete the full RMF process before granting an ATO. A Moderate impact categorization under FIPS 199 typically triggers selection of baseline controls from NIST SP 800-53 Moderate baseline, which includes approximately 325 distinct control requirements.

Contractor-operated cloud services — A cloud service provider hosting federal data pursues a FedRAMP authorization, which the General Services Administration (GSA) administers as a FISMA-compliant authorization pathway (FedRAMP Authorization Act, 44 U.S.C. § 3607). A single FedRAMP authorization can be reused across agencies, reducing duplicative assessment costs.

State agencies receiving federal grants — Entities administering programs funded by federal grants — such as Medicaid systems operated by state health departments — may inherit FISMA-equivalent requirements through grant conditions, even though they are not federal agencies.

Research institutions — Universities operating systems under contracts with agencies like the Department of Energy or NASA must implement FISMA-aligned controls; the specific control baseline depends on data classification and contract terms, not the institution's academic status.

Additional context on how this sector is organized appears on the security provider network purpose and scope page.

Decision boundaries

The central FISMA determination is whether a system is operated by or on behalf of a federal agency. Three contrast points clarify the boundary:

• FISMA vs. NIST Cybersecurity Framework (CSF) — FISMA compliance is legally mandatory for covered federal systems. The NIST CSF is a voluntary framework designed for critical infrastructure and private sector organizations; it shares conceptual alignment with FISMA's RMF but carries no statutory enforcement mechanism.
• FISMA vs. FedRAMP — FedRAMP is a program, not a law. It provides a standardized FISMA authorization pathway for cloud services; a FedRAMP authorization satisfies FISMA's assessment and authorization requirements for covered cloud offerings but does not replace agency-specific obligations for on-premises or hybrid systems.
• High vs. Moderate impact systems — A High impact designation under FIPS 199 requires enhanced controls and typically mandates a more rigorous assessment scope, including penetration testing and independent red team evaluation, compared to Moderate baseline requirements.

Organizations assessing whether their systems fall under FISMA jurisdiction or an equivalent framework can reference qualified assessors and consultants through the security providers provider network.