top of page


FISMA – What is it?

As a part of the E-government Act of 2002, the Federal Information Security Management Act (FISMA) of 2002 is a United States federal law that made it a requirement for federal agencies to develop and implement an information security program.

FISMA is designed to reduce federal agencies risk while providing security, functionality and accountability. FISMA set security guidelines that must be implemented by each federal agency. These guidelines extend to contractor systems and state agencies that store, transmit or use federal data.

FISMA received an update and became Federal Information Security Modernization Act (FISMA) of 2014. One of the important features of the new FISMA was the focus on Continuous Monitoring and real-time awareness of security risk levels. To provide standards and guidance, NIST was selected to provide the necessary and required guidelines for securing systems and thus securing the data. The National Institute of Standards and Technology (NIST) developed standards and guidelines required by FISMA and the Office of Management and Budget (OMB). These documents know as “publications” include FIPS 199, FIPS 200, and the NIST 800 series.


At a high level, FISMA through NIST publications provide agencies with guidance on:

  • Data Categorization (FIPS 199)

  • Control selection (FIPS 200)

  • System Security Plan development (SP800-37r2)

  • Risk Assessment (SP800-30)

  • Security control implementation guidance (SP800-53r4)

  • Security Control Assessment (SP800-53Ar4)


  • Privacy Threshold Analysis (PTA) (Agency specific)

  • Privacy Impact Assessment (PIA) (Agency specific)

Once security controls are implemented, the organization receives an Authority to Operate (ATO). FISMA then requires that each system enters the Continuous Monitoring phase that includes annual assessments.

No matter which phase you are in CISEVE can support you. Please contact us to discuss our services.



  • New system document creation

  • New system assessment

  • Update existing documentation

  • Annual Continuous Monitoring assessments

  • Contingency Plans

  • Incident Response Plans

  • Independent Contingency Plan testing

  • Vulnerability scanning

  • Penetration testing

bottom of page