FISMA Requirements: List of Official Mandates and Practices



Jul 10, 2024

Mastering FISMA Compliance: Essential Requirements Explained

The Federal Information Security Management Act (FISMA) is a United States law that came into effect in 2002. Its goal is to guide federal agencies handling sensitive government information systems to develop, document, implement, and maintain security programs that protect their information systems. FISMA also focuses on developing risk-based policy for cost-effective security. 

In this blog, we explore the nuances of FISMA requirements and the easiest way to implement them. 

What are FISMA requirements and who should implement it?

FISMA requirements are a set of security policies, guidelines, and recommendations set by the body. 

It requires agency officials, Chief Information Officers, and IGs (inspectors generals) to report the results of annual reviews of the information systems to the OMB (Office of Management and Budget). 

The agencies are responsible for implementing baseline security controls, reducing the risks to information systems, and ensuring the highest level of security. 

Is FISMA important for your business?

FISMA is mandatory for federal agencies and their contractors who access or operate government federal systems. NIST describes federal information systems as information systems used or operated by executive agencies and their contractors, or an organization who operates on the behalf of an executive agency. 

Since the data deployed in such systems are highly confidential and sensitive, it is crucial to protect them against unauthorized access or disclosure. 

Federal agencies are required to conduct annual reviews of their information security program and report the result to the Office of Management and Budget (OMB). If instances of inadequate measures or non compliance that do not meet the minimum standard are found, it could lead to loss of contract. 

List of FISMA requirements: seven main activities explained 

FISMA defines a set of guidelines for federal information systems operated by government agencies and their contractors. 

FISMA extensively cross-refers to multiple NIST publications, supporting policies, and standards throughout the processes. Few examples are FIPS 199, FIPS 200, NIST 800 53, OMB Circular A-130, and NIST 800 59. You will find these references in the activities we explained below. 

If you want your information system to be accredited, these are the requirements you have to meet:

FISMA requirement 1: Information system inventory

Create and maintain an updated inventory of information systems and applications that process PII (personally identifiable information). The inventory detail should include interdependencies between these systems and tracking information for interdependencies between internal and external systems. 

The inventory should include the following components: 

  • System name
  • Software owners 
  • Software version number
  • Hardware inventory details
  • Software license data
  • Machine name and network address of all protocols
  • Inventory specifications like cost, model, manufacturer, physical locations, etcetera

NIST 800 53 recommends these practices to maintain an inventory under the control family CM-8 (Configuration Management – System Component Inventory). These include: 

  • Update the system inventory whenever a component is installed, removed, or installed. 
  • Implement an automated system to detect and monitor unauthorized activities. If detected, you can disable network access, isolate the components, or notify authorized personnel. 
  • Use a process to maintain and update the list of individuals responsible and accountable for administering the system components. 
  • Detail the configuration setting of the system components that have been set up in compliance with requirements. 
  • Use an automated mechanism to track the location of system components and identify the responsible individual in the event of a breach. 

FISMA requirement 2: Categorize systems and data

FISMA recommends consulting NIST 800 59 to assess whether your information system is a national security system. For non-national security systems, assess the impact of a breach on the system’s security objectives—confidentiality, integrity, and availability. To know the impact level, categorize the information systems and their type. 

To effectively categorize your information system, determine their impact values by identifying all the data you store, transmit, and process. These values are assigned based on the security objectives: confidentiality (low/moderate/high), integrity (low/moderate/high), and availability (low/moderate/high). 

Next, determine the security and risk category as per FIPS 199 (Standards for Security Categorization of Federal Information and Information Systems). There are three levels of risk categorization described in FIPS 199. These are: 

  • Low-impact information system: If a breach has a limited impact on the organization’s operations, assets, and individuals, the limited effect implies that the incident has hampered business operations, but its primary functions continue. Financial loss and damage to organizational assets are also minimal.
  • Moderate impact information system: If the system falls under the moderate impact category, the aftermath of a compromise has serious or adverse effects on the assets, operations, and individuals. In this case, too, the organization is able to continue its primary operations. However, the effectiveness of these functions takes a significant hit, and the assets are severely damaged.  
  • High impact information system: Finally, if a high-impact system is contaminated, the organization cannot continue one or more of its primary business functions. The contamination results in severe damage to the organization’s assets, major financial loss, and even catastrophic harm to individuals. 

The table below illustrates the relation between security objectives and the potential impact its loss can have on operations, assets, and individuals. 

Security Objective              Potential Impact 
Low Moderate High 
Confidentiality Limited adverse effectSerious, adverse effect Severe or catastrophic effect 
Integrity Limited adverse effectSerious, adverse effect Severe or catastrophic effect 
Availability Limited adverse effectSerious, adverse effect Severe or catastrophic effect 

FISMA requirement 3: Implement security controls

Organizations must select and implement appropriate security controls described in NIST 800 53 (Recommended Security Controls for Federal Information Systems). The selection process of controls should be based on the level of risk. 

NIST 800 53 lists 20 control families with 325 controls that help organizations: 

  • Improve their privacy and security functions needed to scale business operations and protect individual privacy and information.
  • Analyze the controls to determine their applicability for specific technologies, operational environments, and business functions. 
  • Specify security and privacy policies to develop custom processes for controls with variable parameters. 
AC – Access ControlPE – Physical and Environmental Protection
AT – Awareness and TrainingPL – Planning
AU – Audit and AccountabilityPS – Personnel Security
CA – Security Assessment and AuthorizationPT – PII Processing and Transparency
CM – Configuration ManagementRA – Risk Assessment
CP – Contingency PlanningSA – System and Services Acquisition
IA – Identification and AuthenticationSC – System and Communications Protection
IR – Incident ResponseSI – System and Information Integrity
MA – MaintenanceSR – Supply Chain Risk Management
MP – Media ProtectionPM – Program Management

Download the NIST 800 53 Controls List. Check the priority and impact level of 300+ controls.

FISMA requirement 4: Conduct risk assessments

Conducting risk assessment helps agencies to evaluate the effectiveness of their controls. The result of the assessment is then used to determine the need for additional controls to reduce the information system’s impact. 

As per NIST 800 53 control RA-3 Risk Assessment, this process should factor in system vulnerabilities, the impact of unauthorized access, and damage to individuals. It requires organizations to: 

  • Assess risks associated with the supply chain, such as dishonest development practices, detective components, counterfeits, etcetera. 
  • Use intelligence from all sources to assess the risk posed by vulnerabilities. 
  • Continuously assess the threat in your environment using the gathered intelligence. Update your procedures to level up with the evolving threat landscape. 
  • Implement systems with automation, machine learning, and analytical capabilities to assist your security team in proactively identifying and predicting risks. 

FISMA requirement 5: Develop a system security plan

A system security plan or SSP is your implementation roadmap detailing the selected security controls. The plan should include policies, supporting documents like risk assessment, and plan of action and milestones (POA&M).

Your security and privacy control scope should be designed as per the system components. It should also comprise an overview of the security and privacy requirements. Describe the use case of each control, a detailed process to implement them, and a plan to assess its effectiveness. 

You can approach the SSP in two ways – develop a single, integrated plan or multiple plans. It can be a collection of multiple documents rather than a single one. It should extensively refer to policies, processes, and other relevant documents wherever applicable. The SSP documentation should consist of:

  • Detailed descriptions of the system components
  • Description of the system’s applicability to support business objectives and processes 
  • Individuals assigned to manage the system and the rules associated with their responsibilities
  • Individuals tasked with a system activity and their roles and responsibilities
  • Security threats that may impede business operations
  • Risk assessment reports for systems processing PII
  • Description of the operational environment for systems interdependencies with other system components
  • Applicable baseline controls or overlays, if any
  • Detail the risk analysis for the security and privacy architecture 
  • Include activities related to security and privacy affecting the system that requires the organization to plan and coordinate with the assigned individuals 

FISMA requirement 6: Certification and accreditation

Once you have documented the SSP and conducted the risk assessment, the next steps are certification and accreditation. FISMA differentiates between these two activities, which are closely related. 

Security certification is a supporting activity that precedes accreditation. Certification equips authorizing officials with the knowledge and understanding necessary to make the right risk decisions. The officials should assess the security controls and information system to inspect its operational effectiveness and implementation errors. 

You can refer to NIST 800 53A to assess security controls using standardized methods. FISMA certification activities involve: 

  • Gathering documents and supporting data pertaining to the security controls in the information system. 
  • Selecting and developing the right controls and methods to evaluate the operational and technical security controls.
  • Preparing the security assessment report that details the assessment result and corrective actions to patch the control deficiencies.  
  • Sharing the assessment report with the list of corrective actions with the system owner, who prepares the POA&M based on the result. 
  • Submitting the accreditation package to the authorizing official. The package contains: a) the assessment report, b) POA&M, and the updated system security plan 

Security accreditation refers to risk management and acceptance. The senior agency official authorizes the information system to operate based on the implementation of the selected security controls. The authorizing official collaborates with the system owner, security officer, and certification agent to confirm the vulnerabilities and mitigate them. It involves the following activities: 

  • The authorizing official confirms Confirming the vulnerabilities in the accreditation package and determines its impact. 
  • The authorizing official determines if the level of risk is acceptable and prepares the accreditation letter containing the final decision. 
  • The authorizing official shares a copy of the decision letter with the system owner and other officials.
  • The system owner updates the plan based on the level of risk. 

FISMA requirement 7: Continuous control monitoring

Continuous monitoring activities are not just a security and accreditation requirement. At an organizational level, it helps individuals responsible for various system activities stay informed about the security posture, a critical factor to making critical risk decisions. 

You can use the monitoring activity result to configure system authorization and controls that align with changing business needs and continuously evolving threats, vulnerabilities, and technologies. Remember that the monitoring frequency is not the same for all controls. 

NIST 800 137A provides detailed guidelines for developing ISCM (Information Security Continuous Monitoring) programs. The guideline recommends using a combination of automated and manual tools and technologies to meet monitoring goals. 

These goals include detecting anomalies, identifying environmental changes, gaining visibility into assets, understanding the threat environment, evaluating control effectiveness, and posture management

It organizes the process into six high-level steps: 

  1. Define a strategy: Your monitoring strategies should be chalked based on the risk tolerance level, vulnerabilities, threat information, and business impact. It applies to each system in the organization’s infrastructure as well as systems supporting business operations. 
  2. Establish a program: Determine the metrics, frequency for monitoring its status, frequency of assessing controls, and develop a technical architecture to establish your ISCM program. 
  3. Implement the strategy: Implement the plan to gather data for metrics, assessments, and reporting. You can automate these processes if and as much possible. 
  4. Analyze data and report findings: Determine the right course of action to address the gaps in the data and report. In certain cases, additional data may be necessary to gain insight into the monitoring data. 
  5. Respond to the findings: You can use several methods and processes to minimize the risks to a low impact level, examples include technical management, risk mitigation activities, and accepting, transferring, avoiding, or rejecting the risk. 
  6. Review and update: As continuous monitoring is an ongoing activity, you should adjust the strategies appropriately. Improve the measurement techniques to ensure full visibility into assets and vulnerabilities and enhance the use of data to control the organization’s information infrastructure. 

The faster and cost-effective way to meet FISMA requirements

To meet FISMA requirements, you need continuous visibility into the controls, reduce the risk to an acceptable level, and address the security gaps. 

Achieving compliance with a framework as stringent and comprehensive as FISMA is not easy, especially without tools like Sprinto, which automates up to 90 percent of the activities. 

Sprinto is a compliance automation tool that helps you get accredited by doing all the heavy lifting for your team.

  • It continuously monitors your controls to identify gaps against the FISMA requirements. 
  • Offers a library of customizable policies to launch a FISMA program in days. 
  • Conduct risk assessments using industry-trusted benchmarks. 
  • Build resilience using risk intelligence to improve your security posture.
  • Integrate with your cloud environment to assess the type of data you process and recommended controls. 

Schedule a demo now to know how we can help you. 


What are the five FISMA requirements?

The five FISMA compliance requirements include identifying security risks, protecting against a wide range of potential threats, detecting security breaches, responding to cyber threats, and recovering from security incidents. 

Who is subject to FISMA?

FISMA applies to federal government agencies in the United States, their private contractors operating federal systems, private businesses offering a service to these agencies like cloud service providers. 

What are the penalties for FISMA compliance violation?

If you fail to meet the minimum security requirements of FISMA, you lose federal funding, loss of contract with federal agencies, and even risk reputational damage. 

What is the difference between FISMA security certification and accreditation process?

FISMA security certification helps to verify and assess the information system to ensure that it meets the minimum level of protection. The FISMA accreditation process evaluates your posture and authorizes it to operate based on factors like tolerance levels, risk management practices, and risk mitigation strategies. It is mandated by OMB A-130. 



Anwita is a cybersecurity enthusiast and veteran blogger all rolled into one. Her love for everything cybersecurity started her journey into the world compliance. With multiple certifications on cybersecurity under her belt, she aims to simplify complex security related topics for all audiences. She loves to read nonfiction, listen to progressive rock, and watches sitcoms on the weekends.

How useful was this post?

0/5 - (0 votes)

Found this interesting?
Share it with your friends

Get a wingman for
your next audit.

Schedule a personalized demo and scale business

Here’s what to read next….

Sprinto: Your growth superpower

Use Sprinto to centralize security compliance management – so nothing
gets in the way of your moving up and winning big.