2020 Software

Top ERP Software

FISMA Compliance

The Federal Information Security Management Act (FISMA) requires federal agencies to improve the security of IT systems, applications, and databases. Each federal agency must develop, document, and implement a program to provide security for the data and IT systems that support its operations and assets. Technology-based controls include access control, identification and authentication, audit and accountability, encryption, and system and communications protection.

FISMA compliance is a matter of national security, and therefore is scrutinized at the highest level of government. All federal agencies receive an annual grade for their FISMA compliance programs these "report cards" are made public and are available on the Internet.


The following is a short list of most frequently-asked questions concerning FISMA requirements.

What is FISMA?
FISMA is the Federal Information Security Management Act of 2002. It was passed as Title III of the E-Government Act (Public Law 107-347) in December 2002. FISMA requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

What is the role of NIST for FISMA?
The National Institute of Standards and Technology (NIST) develops IT security standards and guidelines for FISMA. Federal agencies must follow these rules, which require compliance reporting by each agency.

Who must comply with FISMA requirements?
FISMA compliance is mandatory for all federal agencies and any contractors or other organizations supporting a federal agency IT system.

How often is FISMA compliance evaluated for an IT system?
IT security for every federal agency is evaluated and reported annually to the OMB, which makes a FISMA Report Card available to the public. The reports must include an independent evaluation by either the agency Inspector General or an external auditor.

What are the penalties for poor FISMA grades?
The penalties for a low or failing FISMA grade include censure by congress, negative publicity for the agency, and reduced federal funding for agencies. A low FISMA grade means you are at risk for releasing information that is private and sensitive. A high grade on the FISMA report card indicates that your IT systems are secure and your data is locked down.

What is the most important step towards FISMA compliance?
The first, and most important, step towards improving a FISMA compliance rating is to make an IT asset inventory that stores all hardware and software assets in a database.

FISMA Compliance: 8-Step Process

The following eight step process for acheiving FISMA compliance is derived from NIST documentation for has proposed the following increasing the security of federal IT systems. The security controls set forth by COBIT combined with the infrastructure processes of ITIL provides an effective framework for FISMA compliance.

1. Create an IT hardware & software inventory.
2. Perform a Gap Analysis to establish security controls baseline.
3. Perform a Risk Assessment of security controls .
4. Create a security system plan and documentation.
5. Implement and deploy the security controls.
6. Perform an audit of the security controls to determine effectivness.
7. Perform corrective actions as needed.
8. Monitor security controls on continual basis.

IT Asset Inventory

A basic requirement of FISMA compliance is an inventory of all IT hardware and software assets stored in a database. The IT inventory should contain the following information for each piece of hardware and software in your organization:

Description of asset
Model number
Date of purchase or lease
Date of deployment
Date of last upgrade performed
Record of service
Maintenance and repairs performed
Customization or modifications performed
Disposition (recycle, disposal, resale)