FISMA, or the Federal Information Security Management Act, is a U.S. federal law passed in 2002 that seeks to establish guidelines and cybersecurity standards for government tech infrastructure, and in so doing protect government information and operations. The law was modified in 2014 to put more emphasis on continual monitoring with the passage of the similarly named Federal Information Security Modernization Act; generally, discussions of FISMA refer to the set of regulations established by both these laws.
Like most federal cybersecurity laws, FISMA constitutes a complex set of rules that are intended to be at least somewhat flexible. While the initial intention of the law was to establish standards that the IT departments for federal agencies would follow, the sprawling nature of the government and its tight interconnection with private contractors means that the FISMA umbrella covers many, many organizations—including, maybe, yours.
Originally, FISMA was designed to strengthen IT infrastructure operated and maintained by the U.S. federal government. To that end, as the consultancy Aronson puts it in its whitepaper on FISMA compliance, the law “requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor or other source.”
There are a few important things to note in this description. One is the emphasis on “information and information systems.” The rules are really about assessing the security of individual systems, rather than companies or agencies as a whole. And because in practice federal agencies interact with or rely on outside organizations to provide IT services, FISMA rules apply to those organizations as well. These might range from state government agencies helping administer joint state-federal programs like Medicaid to private companies providing the feds with software or services.
But because FISMA is primarily written to impose standards on federal agencies, it affects private companies differently than laws like HIPAA, which mandate direct penalties like hefty fines on companies that don’t live up to the rules. By contrast, under FISMA, a person designated an Authorizing Official (AO)—generally, a high-level manager with responsibility over infosec at a federal agency—is in charge of determining if an information system complies with FISMA’s standards, whether that system is run in-house by the agency or is operated by another public body or a private federal contractor. This sign-off is known as an Authority To Operate (ATO), and the AO assumes responsibility for the systems to which they grant ATOs. If there’s a breach or other security failure in a system to which an ATO has been granted, it’s the AO and their team who would take the fall for it—and as you can imagine, there are career consequences for serious breaches.
But if the affected system is supplied by a private contractor, that company can’t expect to emerge from the incident unscathed. As RSI Security explains on its blog, contractors who are discovered to have fallen short of FISMA’s requirements probably at the least will find the specific contract for that system cancelled; depending on the severity of the security shortfall, they might also be blackballed from other federal contracts, and company execs might even find themselves hauled before a Congressional hearing to explain themselves.