FISMA Compliance Requirements: Everything You Need to Know

FISMA – the Federal Information Security Management Act – mandates a number of cybersecurity measures for US government agencies and their private contractors: an inventory of IT systems, the risk categorization of assets, a detailed system security plan and annual certification. Read on to learn more about FISMA’s compliance requirements, the documents you need to produce and how the law relates to standards like NIST 800-53 and 800-171.

What Is FISMA?

The Federal Information Security Management Act is a law passed in 2002 and amended in 2014 that requires government agencies to develop and maintain information security programs to better protect sensitive data and critical services. Specifically, under FISMA the head of each agency is responsible for establishing security protections commensurate with the risk and potential harm stemming from the unauthorized use of IT systems.

Who Does FISMA Apply to?

Under FISMA, agencies must ensure adequate protections for information systems used by them, one of their contractors, or operated on their behalf by another entity. As a result, FISMA compliance affects a wide range of companies who work with the government. Vendors, suppliers and subcontractors with public contracts are generally required to meet FISMA’s information security requirements. In addition, the act was later amended to cover state and local governments that manage federal programs such as student loans or Medicare/Medicaid.

FISMA governs federal information systems and private entities who access or operate them. Businesses who store or process sensitive government information in their own company network are regulated under NIST 800-171.

What Is the Difference Between FISMA and NIST 800-53?

FISMA requires organizations with access to federal IT systems to maintain an appropriate level of information security. To determine the safety measures needed to adequately protect government data and ensure that guidance is continously updated without the need to amend FISMA itself, the act tasked the National Institute of Standards and Technology (NIST) with developing guidelines on the required safety measures.

The exact relationship between FISMA and NIST 800-53 can be explained as follows: NIST 800-53 details the security controls organizations must implement in order to fulfill the act’s minimum security requirements. Complying with NIST 800-53 is an important part of FISMA. However, FISMA compliance goes beyond specific security controls and also covers high-level tasks such as IT inventorization, risk categorization, documentation, certification and more.

FISMA Compliance Requirements

The goal of FISMA is to improve cybersecurity in federal IT systems by enforcing mandatory security controls, which are detailed in FIPS 200 and SP 800-53. However, the act itself governs not just safety measures, but the entire implementation process from determining the security impact of information assets and developing a system security plan to the continuous monitoring and improvement of cybersecurity programs.

The seven steps needed to achieve FISMA compliance are:

  • Establish an inventory of IT systems

  • Conduct a security categorization of information assets

  • Develop a system security plan

  • Implement required security controls

  • Conduct risk assessments to evaluate successful implementation/planned changes

  • Perform annual reviews as part of the certification and accreditation process

  • Ensure continuous monitoring of information systems and security programs

Please note that not all FISMA compliance requirements for federal agencies are also relevant for private companies. The exact demands on your business depend on the contract in question. Many agencies publish contract language guides that can give you an idea of the process.


Inventory of IT Systems

The first step towards FISMA compliance is to establish an inventory of major information systems. This not only requires identifying components, applications and devices, but also system boundaries and the connections to other IT systems, including those outside your own network. Defining system boundaries can be especially tricky for organizations that are part of a larger IT environment. The inventory must be updated yearly.


Security Categorization

During the security categorization, organizations must grade IT assets based on how strongly they would affect the confidentiality, integrity and availability of sensitive systems in the event of a breach. Each of these areas is individually rated as low, moderate or high impact. However, the classification of IT assets follows a high watermark approach, meaning that the overall impact rating is equal to the highest value among the three categories. For example, a system that is rated as high impact in regards to confidentiality would be categorized as high impact overall.

The results of the security categorization determine which security controls an organization is expected to implement and can inform further adjustments officials make during the tailoring process. Detailed guidance on the categorization of information systems is available in FIPS 199 and NIST 800-60.


System Security Plan

The system security plan documents security controls, how they were implemented, as well as scoping and tailoring decisions for mandatory controls. It combines the results of the IT inventory, security categorization and any adjustments made to controls from NIST 800-53 to create a security program that reflects the specific needs and unique requirements of your organization. The security plan must be reviewed and approved during the accreditation process and requires annual updates. More information on how to develop a system security plan is available in SP 800-18.


Establish Security Controls

Once an organization has inventoried its IT assets, determined their security impact, chosen the corresponding control baseline from SP 800-53 and tailored controls to their specific IT setup, it’s time for the real work to begin: Implementing safety measures is by far the biggest task on the path towards FISMA compliance. In fact, this step is impossible to complete on your own. In order to address all required areas of information security, organizations must find cost-effective security solutions to support their efforts.

To learn more about the security requirements of SP 800-53 and related NIST standards, download our free compliance overview.

White paper

NIST-Compliant Access Control With tenfold

Download our compliance guide to learn which access control measures are required by the NIST CSF and SP 800 series and how tenfold helps you implement them!


Risk Assessments

Risk assessments verify the successfuly implementation of the required safety measures and must be performed when an information system is initially authorized, as well as ahead of any major changes to the IT infrastructure. Guidance for how to conduct risk assessements is available in SP 800-30.


Certification & Accreditation

FISMA requires agencies to perform annual reviews to ensure the continued effectiveness of their cybersecurity efforts. To this end, the operator of an information system (system owner) is required to submit an authorization package to a senior agency official for approval. The authorization package includes the system security plan, security control assessment and a plan of action that lays out how problems identified during the assessment will be addressed. After reviewing the submitted materials, the senior official can grant an authorization to operate the system (ATO) or require further changes.

For private entities, the certification process is determined by the requirements and specific procedures of the agency they collaborate with. Aside from submitting required documents, interviews and in-person audits of security controls may also be involved.


Continuous Monitoring

Even after receiving authorization to operate, system owners are required to monitor security controls on an ongoing basis. This includes assessing their effectiveness, documenting planned changes, analyzing their security impact and reporting findings to the designated officials. The demand for continuous monitoring was established in Circular A-130 of the Office of Management and Budget (OMB) following the FISMA amendment in 2014.

FISMA and Access Control

Although the path to FISMA compliance involves a lot of documentation, assessments and reporting, there is no doubt that the most challenging FISMA compliance requirement is implementing the necessary security controls. In order to address all demands laid out in the corresponding NIST standards, companies must find suitable and, above all, cost-effective security solutions. Without this kind of professional support, operating a system security program would be prohibitively complex and expensive.

A key topic covered by SP 800-53 is the need for effective access control to prevent unauthorized access to federal systems. This family of controls requires companies to actively manage user accounts, assign permissions following the principle of least privilege and conduct regular access reviews to ensure compliance. Keeping track of hundreds of users and thousands of permissions sounds impossible? That’s where identity and access management comes in.

Thanks to tenfold, FISMA-compliant access management has never been easier. Our revolutionary IAM platform comes with out-of-the-box support for key services such as Active Directory, Microsoft 365 and business applications like SAP ERP. With the help of our pre-built plugins, setting up tenfold is a matter of just a few days – while conventional IAM projects can take months and thousands of billable hours to complete.

Want to learn more about how tenfold can help your business save time and money in IT administration? Watch our video demo for a quick overview of our IAM solution or sign up for a free trial to experience tenfold in action!

Free Trial

Our No-Code Solution Makes IAM Easy.
Start Your Free Trial Today!

About the Author: Joe Köller

Joe Köller is tenfold’s Content Manager and responsible for the IAM Blog, where he dives deep into topics like compliance, cybersecurity and digital identities. From security regulations to IT best practices, his goal is to make challenging subjects approachable for the average reader. Before joining tenfold, Joe covered games and digital media for many years.