FISMA, or the Federal Information Security Management Act, was first legislated in 2002 and updated in 2014 to establish the CIO of government agencies such as the Office of Management and Budget (OMB) and the Department of Homeland Services (DHS) as accountable for ensuring information security capabilities. Although FISMA was originally applicable to federal government agencies, it quickly included state government and government contractors as well as any organization with a governmental agency as its client.

What is FISMA Compliance?

FISMA is federal law developed by the Department of Defense that requires any governmental agency or organization dealing with government data to set up an information security and protection program. Since the overarching goal of FISMA, or the Federal Information Security Modernization Act, is to defend sensitive government data and operations, FISMA is required by federal, state and local governmental agencies as well as any organization that does business with the government.

The types of information covered by FISMA falls into two general categories:

  • Controlled Unclassified Information (CUI). Government-created or owned unclassified information that still requires protection.
  • Covered Defense Information (CDI). A type of CUI that is developed under a Department of Defense (DoD) contract. It is non-public data that also requires protection.

Examples of the two types of data include engineering drawings, technical reports and notes, bills of software and source code.

The Components of FISMA

FISMA is not a standalone set of regulations, but a collection of different regulations and guidelines meant for organizations to implement when relevant to the type of data they store and process.

These regulations include:

  • NIST SP 800-53. A security framework of more than 1,000 controls related to information security, including access control, configuration management, incident response, business continuity, disaster recoverability, privacy and information protection. It is mandatory for any organization that has access to data of the federal government. 
  • NIST SP 800-171. A set of privacy and security controls that are specifically related to third parties that store or process CUI. 
  • FIPS 199. A framework for categorizing federal data according to the potential impact with respect to the loss of confidentiality, integrity or availability.  
  • FEDRAMP. These requirements are related specifically to cloud providers.

The Main FISMA Compliance Requirements

National Institute of Standards and Technology (NIST) developed the standards which are the foundation of the FISMA compliance requirements. They are outlined in detail in the FIPS 199, FIPS 200, and the NIST 800 series.

A high-level summary of these requirements include:

  • Information System Inventory: Organizations must keep an inventory of the different information systems under their management and how they integrate with other systems, both internal ones and ones integrating with third-party vendors. 
  • Conduct risk assessments. This is a fundamental component of FISMA. NIST SP 800-53 offers guidance to organizations on how they can conduct security assessments and use them to determine which security controls are relevant. All security risks should be identified at an organizational, business process and information systems level. The risk assessment should also determine whether additional security controls are necessary. 
  • Categorize risk. Organizations must categorize data and IT systems according to levels of risk – low, medium and high. The goal of categorizing risk is to ensure that high-value assets are given the highest level of security. The exact risk levels are defined in FIPS 199 Standards for Security Categorization of Federal Information and Information Systems.  
  • Certification. After risk assessment and categorization are complete and security controls have been verified that they work properly, your information system can be accredited. Certification and accreditation are defined in NIST SP 800-37.
  • Implement continuous monitoring. This includes monitoring information systems to identify any suspicious behavior as well as analyze the performance of current controls to identify weaknesses. Continuous monitoring is also meant to enable quicker response to breaches and other security incidents. 
  • Maintain a System Security Plan (SSP). The System Security Plan details how the organization implements security controls. It must be updated regularly and include a Plan of Action and Milestones (POA&M). The SSP is a critical component necessary for organizations to be able to operate. 
  • Utilize security controls. An extensive catalog of security controls is outlined in NIST SP 800-53. FISMA requires organizations to implement only the security controls relevant to your organization. Controls are then documented in the SSP.

Maintaining FISMA Compliance

The requirements above are only the high-level requirements. Meeting FISMA compliance goes beyond the high-level requirement above, however, to include hundreds of security controls, data protection mechanisms, disaster and recovery plans, and more.

To ensure compliance on a regular basis, consider these best practices:

  • Classify data upon creation. This helps you prioritize the security controls and policies so that you can apply them according to the level of sensitivity of the information. 
  • Automatically encrypt sensitive data. Many tools exist to encrypt data. Some encrypt data of different levels of sensitivity while others encrypt it at the point that it is at risk of being exposed or breached. 
  • Maintain detailed records. Document the procedures and steps you’ve taken to achieve FISMA compliance so that you’re prepared in the event of a FISMA audit. 
  • Automate mapping and inventory of your supply chain. Many organizations are unaware of the number of third-party suppliers and services they use and their role in the supply chain. Since taking information system inventory is one of the basic requirements of FISMA, it’s helpful to have a tool that automatically maps your third parties along your supply chain. 
  • Ensure proper data destruction and disposal. Details of data destruction can be found in the Federal Information Processing Standards (FIPS) Publication 200. This is important as IT systems that are no longer in use still have the ability to expose sensitive data.

FISMA and Third-Party Risk

FISMA requires organizations to develop processes and meet specific standards in order to do business with the federal government. This includes the requirement for third parties to meet NIST guidelines for federal information systems, develop a risk management framework and conduct continuous monitoring to identify vulnerabilities and weaknesses that could lead to security incidents as early as possible. It also requires these third parties to have incident and response reporting capabilities to ensure security incidents are handled properly, minimizing any exposure or compromise or federal government data or systems. Finally, FISMA requires all third parties to gain accreditation or certification to be approved to enter a business relationship with the federal government or organizations that handle U.S. data.


Both FISMA and FEDRAMP have commonalities in that they both were established with the goal of protecting government data and information. While FISMA concentrates on information systems, however, FEDRAMP focuses on cloud security – specially, third-party cloud providers that do business with the federal government.

Another major difference is the level of authorization granted upon compliance. Since FEDRAMP certification is more rigorous, compliance permits a vendor to do business with any federal government agency, while FISMA compliance authorizes the vendor to do business with a specific agency. If the vendor wants to work in the future with another agency, it must re-apply for compliance, since the security controls and data security needs of each agency are different. In addition, the FEDRAMP certification requires that organizations have a security assessment conducted by a third-party assessment organization. As a result, organizations that seek to do business with a company and find that it is FEDRAMP-compliant often assume it is FISMA-compliant as well.

A final difference is that while FISMA is enforced by OMB and DHS, FEDRAMP is enforced by the General Services Agency (GSA).

The Benefits of FISMA Compliance

Governmental agencies that meet FISMA compliance can feel confident that they are delivering a high level of security to protect data and information systems of the U.S. government. For contractors and other organizations doing business with governmental agencies, FISMA compliance has additional benefits. Meeting FISMA compliance gives customers a certain amount of trust that your organization and its information systems operate under a secure process. This can be valuable as your organization explores new business opportunities and seeks to onboard new customers that are governmental agencies.

The Penalties for FISMA Non-Compliance

In the worst-case scenario, failing to comply with FISMA could result in the cancellation of federal funding. Although this may significantly impact agencies, it’s catastrophic for contractors. In addition to losing current government contracts, they may not be allowed to bid for future federal contracts. Non-compliance with FISMA also damages your reputation, leading to a loss of client trust and impact your ability to onboard new clients.

A Quick FISMA Compliance Checklist

As one of the most important regulations that assists in the economic and national interest goals of the United States, it is critical that organizations have a detailed plan for complying with these regulations. NIST has outlined the steps C-suite executives can take to meet FISMA compliance.

These steps include:

  1. Take inventory of all of the devices and information that should be protected. 
  2. Establish baseline security controls. 
  3. Regularly conduct a risk assessment to evaluate these security controls for an annual review. 
  4. Allow the IT system access to only the authorized personnel. 
  5. Continue to monitor the systems regularly.

How Panorays Helps Manage Third-Party Risk

FISMA compliance requires federal agencies, contractors and anyone doing business with the federal government to meet specific guidelines and standards, with the goal of keeping government data secure. Panorays can help third parties meet these standards so that they can gain the trust of new clients and quickly expand their client base to include the federal government and those with access to its data.

Its platform modules include:

  • Supply Chain Discovery and MappingTake inventory of all third parties, both known and unknown. Manage your entire third-party portfolio by defining the relationship between your organization and each third party. 
  • Risk DNA Assessments. Get an accurate and comprehensive Cyber Posture assessment in real-time, based on a combination of internal and external risk assessments, real-time threat intelligence and your organization’s KRIs and KPIs.
  • Continuous threat detection. Get third-party threat intelligence and receive exclusive critical findings of breaches or other security incidents with advanced third-party threat intelligence. Gain insight into your supply chain and the exact combination of business relationships and security incidents that FISMA certification could impact your organization.
  • Remediation and Collaboration. With comprehensive collaboration capabilities that minimize reliance on third party communication, you can close the gaps that pose the greatest risk to your organization.

Want to learn more about how Panorays can help you manage third-party risk? Get a demo today!