Laws & RegulationsFISMA
In Forcegovernment44 U.S.C. § 3551 et seq.
Federal Information Security Modernization Act
Also known as: FISMA
FISMA requires all federal executive branch agencies to develop, document, and implement agency-wide programs to provide information security for the information and systems that support agency operations. It mandates the use of NIST security standards and requires annual reviews, continuous monitoring, and incident reporting. Federal contractors who handle government information must also comply.
Jurisdiction
United States (Federal)
Regulator
Office of Management and Budget
Effective
12/18/2014
Sector
government
Full Text / Summary
FISMA 2014 modernized the original 2002 law to emphasize continuous monitoring over periodic compliance reviews. Key requirements include: (1) agency-wide information security programs; (2) risk-based policies and procedures; (3) security awareness training; (4) periodic testing and evaluation; (5) remediation of deficiencies; (6) incident detection, reporting, and response; and (7) continuity of operations. The law requires agencies to follow NIST guidelines and report to OMB and DHS. The 2022 Federal Information Security Modernization Act further updated reporting requirements and incident response obligations.