Information Security and Federal Compliance

The Federal Information Security Management Act (FISMA) was passed in 2002 and made it a requirement for federal agencies to implement cybersecurity programs to protect systems and information. FISMA requires federal agencies to create and embed IT security plans, including policies for IT risk assessment. FISMA applies to federal information systems and networks but also covers information assets that are processed or managed by government contractors, like Truss, and subcontractors too. FISMA promotes taking a risk-based approach to protecting information security across federal networks. This way, cybersecurity protection scales alongside the risk of harm resulting from a potential breach.

A risk-based approach provides an insight into the best investment in time and resources. In practice, FISMA sets out a series of requirements which includes meeting specific NIST standards around cybersecurity policy and procedure. FISMA was amended and modernized in 2014 with the Federal Information Security Modernization Act. Often referred to as FISMA 2014, the amendments reformed the way compliance is reported amongst other changes. This guide explores the background of FISMA, what it means for federal cybersecurity, and ways to maintain and achieve compliance.

Authorization to Operate

Risk Management Framework

  • RMF — Risk Management Framework