Skip to main content

Federal Information Security Modernization Act (FISMA)

FISMA is federal legislation that defines a framework of guidelines and security standards to protect government information and operations

Contact: ISPG Policy Team | CISO@cms.hhs.gov
slack logoCMS Slack Channel
  • #ispg-sec_privacy-policy

What is FISMA?

The Federal Information Security Modernization Act (FISMA) defines a framework of guidelines and security standards to protect government information and operations.

FISMA was originally passed as the Federal Information Security Management Act in 2002 as part of the E-Government Act. It requires all federal agencies to develop, document, and implement agency-wide information security programs.

This law has been amended by the Federal Information Security Modernization Act of 2014 (sometimes called FISMA Reform), passed in response to the increasing amount of cyber attacks on the federal government. 

FISMA defines three security objectives for information and information systems:

Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

Integrity: Guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity. 

Availability: Ensuring timely and reliable access to and use of information.

FISMA compliance

A key requirement of FISMA is that program officials, and the head of each agency, must conduct annual reviews of information security programs, with the intent of keeping risks at or below specified acceptable levels. The Office of Management and Budget (OMB) is the agency responsible for final oversight of the FISMA compliance efforts of each agency.

While FISMA sets the legal requirement for annual compliance, the National Institute of Standards and Technology (NIST) is the government body responsible for developing the standards and policies that agencies use to ensure their systems, applications, and networks remain secure. To be FISMA-compliant, agencies must:

Implement continuous monitoring

Agencies must continually monitor FISMA accredited systems to identify potential weaknesses. Any changes should be documented in the System Security and Privacy Plan (SSPP). Continuous monitoring will also allow agencies to respond quickly to security incidents or data breaches. CMS is working towards a more robust approach to continuous monitoring through programs like Continuous Diagnostics and Mitigation and Ongoing Authorization.

Conduct annual security reviews

Program officials and agency heads must conduct annual security reviews in order to obtain a FISMA certification. Certification and accreditation are defined in NIST SP 800-37.

Perform risk assessment

System risk should be evaluated regularly to validate current security controls and to determine if additional controls are required. At CMS, this is done through assessments such as the Cybersecurity and Risk Assessment Program (CSRAP).

Document the controls in the system security plan

Documentation on the baseline controls used to protect a system must be kept in the form of a System Security and Privacy Plan (SSPP). This is a key deliverable in the process of getting Authorization to Operate (ATO) for a FISMA system.

Meet baseline security controls

Federal systems must meet minimum security requirements. NIST SP 800-53 outlines the suggested security controls for FISMA compliance. FISMA does not require an agency to implement every single control, but they must implement the controls relevant to their systems and their function. At CMS, standards for security controls are documented in the CMS Acceptable Risk Safeguards (ARS).

Perform system risk categorization

Information systems must be categorized according to their risk levels to ensure that sensitive information and High Value Asset (HVA) systems are given the highest level of security. The categorization process considers the type of information contained in or processed by a system, and will determine what security controls are needed. 

The categorization levels follow those prescribed in FIPS Publication 199 from NIST (Standards for Security Categorization of Federal Information and Information Systems).

At CMS, system categorization happens in CFACTS and results in a categorization of “Low”, “Moderate”, or “High” depending on the level of impact that would occur if the information or the information system were compromised.

Impact level LOW

A low impact level occurs when the loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

A limited adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: 

  • Cause an interruption to mission capability, but CMS is still able to perform its primary functions 
  • Effectiveness of functions is noticeably reduced
  • Result in minor damage to organizational assets
  • Result in minor financial loss
  • Result in minor harm to individuals

Impact level MODERATE

A moderate impact level occurs when the loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

A serious adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: 

  • Cause a significant deterioration of mission capability, but CMS is still able to perform its primary functions 
  • Effectiveness of functions is noticeably reduced 
  • Result in significant damage to organizational assets
  • Result in significant financial loss
  • Result in significant harm to individuals that does not involve loss of life or serious life threatening injuries

Impact level HIGH

A high impact level occurs when the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

A severe or catastrophic adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: 

  • Cause a severe degradation in or total loss of mission capability 
  • The organization is not able to perform one or more of its primary functions
  • Result in major damage to organizational assets
  • Result in major financial loss
  • Result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries