FISMA compliance is mandatory for all federal agencies, as well as contractors or other organizations who support their IT systems.


This federal law defines a framework for protecting information and information systems from unauthorized access. NIST is charged with developing standards and guidelines, and with assisting implementation.


Enacted in 2002, FISMA recognized the importance of data protection to the US economy and to national security.


Poor compliance can result in censure by Congress, bad publicity, or reduced funding.


FISMA requires agency heads to implement policies and procedures that reduce IT security risks in a cost-effective way. Compliance is evaluated and reported annually to the OMB, which makes the “report card” public. The reports must include an independent evaluation by the agency inspector general or an external auditor.

The FISMA framework includes the following requirements:

Inventory of information systems

Categorize information and information systems according to risk level

  • Security controls
  • Risk assessment
  • System security plan
  • Certification and accreditation
  • Continuous monitoring