Federal Information Security Management Act of 2002



The Federal Information Security Management Act of 2002 (FISMA) is US federal law requiring protection of sensitive data created, stored, or accessed by the Federal Government or any entity on behalf of the US Federal Government. The updated act is now called the Federal Information Security Modernization Act of 2014 (FISMA).


FISMA regulations apply to the university in one way when researchers use data provided by a federal entity. It is important that researchers review grant and contract language closely to identify FISMA or other information security requirements. Data regulated by FISMA is typically called out in a Request for Proposal (RFP) or in contract or grant language used by the researcher. Examples of research work that might be regulated by FISMA include research in which data is provided by federal entities such as: National Institutes of Health, NASA, and Dept. of Veterans Affairs. FISMA impacts Federal Contracts, Federal Grants, and Federal Data Usage Agreements.


The goal of complying with FISMA regulation is to find a balance between security and data access. Security considerations need to be part of IT management decisions, IT processes and daily operations. Organizations must execute their FISMA security plan while still achieving their mission and goals.


Compliance with FISMA is mandatory, failure after an award has been accepted could lead to contract termination and revocation of funds. In addition to monetary penalties, failure to pass a FISMA inspection can result in unfavorable publicity, increased oversight, criminal penalties and failure for the university to acquire future funds.


FISMA is administered by the Department of Homeland Security. Changes and updates can be found at https://www.dhs.gov/fisma.


Individual contracts may identify additional controls, but the following documents should be reviewed and considered in relation to FISMA compliance:

·         Federal Information Processing Standards (FIPS) 199        

·         Federal Information Processing Standards (FIPS) 200

·         NIST Special Publication 800-53 Revision 4

·         NIST Special Publication 800-171

·         NIST Special Publication 800-60

·         NIST Special Publication 800-37

·         NIST Special Publication 800-39

·         NIST Special Publication 800-53A Revision 4