FISMA

The Federal Information Security Management Act (FISMA) was signed into law in 2002 as part of the Electronic Government Act. Recognizing that both the national and economic security of United States is grounded on having a robust information security infrastructure, FISMA compels each federal agency to build and implement programs to ensure the security (confidentiality, integrity, and availability) of the agency’s information. The law applies to all federal agencies, their contractors, and anyone else that handles the information used to support the operations of the agency. FISMA relies on the security categorizations and definitions provided by Federal Information Processing Standard (FIPS) (199, 200) in order to fulfill its goal of ensuring confidentiality, integrity and availability of federal information.

The introduction of FISMA gave the National Institute of Standards and Technology (NIST) the authority to develop the necessary guidelines to create programs that ensure acceptable information security and risk management practices. In 2014, FISMA was amended with Public Law 113-283 which made the secretary of the Department of Homeland Security (DHS) responsible for administering the implementation of programs that ensure federal information system security. The amendment to the law also requires, among other things, that agencies notify Congress of major security incidents within seven days of discovering it.

Under the interim rule issued in December 2015, DoD contractors must adhere to two basic cyber security requirements. They must provide adequate security to safeguard covered defense information that resides in or transits through their internal unclassified information systems from unauthorized access and disclosure. They must also rapidly report cyber incidents and cooperate with DoD to respond to these security incidents, including access to affected media and submitting malicious software.