Federal Information Security Management Act (FISMA)

What is FISMA?

FISMA stands for the Federal Information Security Management Act, a United States legislation signed in 2002 to underline the significance of data security to the economic and national security interests of the United States.

FISMA requires federal agencies to develop, report, and implement a data security program to protect their information systems including those provided or managed by another agency, contractor, or another third-party.

Who must be FISMA compliant?

All government agencies, government contractors, and organizations that exchange data directly with government systems must be FISMA compliant. This may include such diverse entities as data clearinghouses, state government departments, and government military subcontractors in cases where data is exchanged directly with federal government systems.

Who is responsible for FISMA compliance?

FISMA applies to all agencies within the U.S. federal government. However, since the law was enacted in 2002, the government extended FISMA to include state agencies controlling federal programs such as unemployment insurance, student loans, Medicare, and Medicaid. The federal government further extended the venture of FISMA into the private sector and significantly increased implementation oversight. Now, any private sector organization that has a contractual relationship with the government, whether to provide services, support a federal program, or receive grant money, must comply with FISMA.

What are the top FISMA requirements?

The National Institute of Standards and Technology (NIST) plays an important role in the FISMA Implementation Project launched in January 2003, which produced the key security standards and guidelines required by FISMA. These publications include FIPS 199, FIPS 200, and the NIST 800 series.
The top FISMA requirements include.

What is the FISMA compliance framework?

After the passing of FISMA, the NIST (National Institute of Standards and Technology) took a primary role in the implementation of the law. Basically, the organization created and promoted standards to be used by federal agencies and government contractors to be FISMA compliant. These standards were published along with supplementary best practice materials and include.




How is FISMA compliance validated?

The compliance audit and validation process consists of three processes.

1. Data feeds directly from security management tools: On a month to month and quarterly premise, agencies must connect to CyberScope, the FISMA online compliance tool and feed data in the following areas:

2. Government-wide benchmarking on security posture: A set of questions on the security posture of the organizations will also be asked in CyberScope. All organizations, except small scale offices, will be required to respond to these questions in addition to the data feeds described previously.

3. Agency-specific interviews: As a follow-up to the questions described above, a team of government security authorities will interview all agencies individually on their respective security postures.

These interviews will be focused on specific threats that each and every agency faces as components of its unique mission.

What are the consequences of non-compliance?

FISMA holds federal agencies accountable to secure government information. Failure to pass a FISMA inspection can result in.
1. Data feeds directly from security management tools: On a month to month and quarterly premise, agencies must connect to CyberScope, the FISMA online compliance tool and feed data in the following areas:

How Nemasis helps to achieve FISMA?

Nemasis is partnering with federal departments and agencies to enable them to meet their regulatory requirements. Nemasis provides full end-to-end security solutions and services for government agencies and subcontractors to help them meet FISMA compliance using security control classes defined in FIPS 200 and described in detail in NIST SP 800-53 Revision 4.

Nemasis-VA is a vulnerability management suite that proactively supports the entire vulnerability management lifecycle, including discovery, detection, verification, risk classification, analysis, reporting, and mitigation.

In the context of FISMA, Nemasis-VA helps agencies to:

Likewise, Nemasis-VA clients can meet FISMA requirements by creating CyberScope reports based on USGCB and FDCC checklists. Federal agencies and contractors must use CyberScope solutions in order to submit their monthly FISMA reports.

Hello there!
How can I help you today?