Computer Security Resource Center

Computer Security Resource Center

Computer Security
Resource Center

Risk Management

FISMA Background

The E-Government Act (Public Law 107-347) passed by the 107th Congress and signed into law by the President in December 2002 recognized the importance of information security to the economic and national security interests of the United States. Title III of the E-Government Act, entitled the Federal Information Security Management Act (FISMA) requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other sources.

The Federal Information Security Modernization Act of 2014 amends the Federal Information Security Management Act of 2002 (FISMA) provides several modifications that modernize Federal security practices to address evolving security concerns. These changes result in less overall reporting, strengthens the use of continuous monitoring in systems, increased focus on the agencies for compliance, and reporting that is more focused on the issues caused by security incidents.

FISMA, along with the Paperwork Reduction Act of 1995 and the Information Technology Management Reform Act of 1996 (Clinger-Cohen Act), explicitly emphasizes a risk-based policy for cost-effective security. In support of and reinforcing this legislation, the Office of Management and Budget (OMB) through Circular A-130, “Managing Federal Information as a Strategic Resource,”1 requires executive agencies within the federal government to:

  • Plan for security
  • Ensure that appropriate officials are assigned security responsibility
  • Periodically review the security controls in their systems
  • Authorize system processing prior to operations and, periodically, thereafter

These management responsibilities presume that responsible agency officials understand the risks and other factors that could adversely affect their missions. Moreover, these officials must understand the current status of their security programs and the security controls planned or in place to protect their information and systems in order to make informed judgments and investments that appropriately mitigate risk to an acceptable level. The ultimate objective is to conduct the day-to-day operations of the agency and to accomplish the agency's stated missions with adequate security, or security commensurate with risk, including the magnitude of harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information.

The FISMA publications are developed by NIST in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems. The FISMA publications are consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130.

As a key element of the FISMA Implementation Project, NIST also developed an integrated Risk Management Framework which effectively brings together all of the FISMA-related security standards and guidance to promote the development of comprehensive and balanced information security programs by agencies.

FISMA 2014 required OMB to amend/revise A-130 to eliminate inefficient and wasteful reporting and reflect changes in law and advances in technology.  Specific to security and privacy, the updated A-130 emphasizes their roles in the Federal information lifecycle and represents a shift from viewing security and privacy requirements as compliance exercises to crucial elements of a comprehensive, strategic, and continuous risk-based program at Federal agencies. 


Created November 30, 2016, Updated March 29, 2018