U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST Risk Management Framework RMF

Federal Information Security Modernization Act (FISMA) Background

The suite of NIST information security risk management standards and guidelines is not a "FISMA Compliance checklist." Federal agencies, contractors, and other sources that use or operate a federal information system use the suite of NIST Risk Management standards and guidelines to develop and implement a risk-based approach to manage information security risk. FISMA emphasizes the importance of risk management. Compliance with applicable laws, regulations, executive orders, directives, etc. is a byproduct of implementing a robust, risk-based information security program.

The NIST Risk Management Framework (RMF) provides a flexible, holistic, and repeatable 7-step process to manage security and privacy risk and links to a suite of NIST standards and guidelines to support implementation of risk management programs to meet the requirements of the Federal Information Security Modernization Act (FISMA).  

The risk-based approach of the NIST RMF helps an organization:

  • Prepare for risk management through essential activities critical to design and implementation of a risk management program.
  • Categorize systems and information based on an impact analysis.
  • Select a set of the NIST SP 800-53 controls to protect the system based on risk assessments.
  • Implement the controls, and documents how the controls are deployed.
  • Assess the control implementation to determine if the controls are in place, operating as intended, and producing the desired results to manage risk.
  • Authorize the system to operate by a senior-level official that understanding the controls in place to manage risk and any residual risk. 
  • Continuously monitor control implementation and changes to the risks to the system.

What is FISMA?

The Federal Information Security Management Act (FISMA) [FISMA 2002], part of the  E-Government Act (Public Law 107-347) was passed in December 2002. FISMA 2002 requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other sources.

The Federal Information Security Modernization Act of 2014 amends FISMA 2002, by providing several modifications that modernize federal security practices to address evolving security concerns. These changes result in less overall reporting, strengthens the use of continuous monitoring in systems, increases focus on the agencies for compliance and reporting that is more focused on the issues caused by security incidents. FISMA 2014 also required the Office of Management and Budget (OMB) to amend/revise OMB Circular A-130 to eliminate inefficient and wasteful reporting and reflect changes in law and advances in technology.

FISMA, along with the Paperwork Reduction Act of 1995 and the Information Technology Management Reform Act of 1996 (Clinger-Cohen Act), explicitly emphasizes a risk-based policy for cost-effective security.  In support of and reinforcing FISMA, the Office of Management and Budget (OMB) through Circular A-130“Managing Federal Information as a Strategic Resource,” requires executive agencies within the federal government to:

  • Plan for security
  • Ensure that appropriate officials are assigned security responsibility
  • Periodically review the security controls in their systems
  • Authorize system processing prior to operations and, periodically, thereafter

 

What does FISMA require?

Federal agencies need to provide information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of:

  • information collected/maintained by or on behalf of an agency
  • Information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency.

Also, federal agencies need to “com[ply] with the information security standards” and guidelines, and mandatory required standards developed by NIST.

 

To whom does FISMA apply?

Federal agencies, contractors, or other sources that provide information security for the information and information systems that support the operations and assets of the agency.

What is a Federal Information System?

As defined in FISMA 2002, "[t]he term ‘Federal information system’ means an information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency."

Created November 30, 2016, Updated July 22, 2021