Ask Our VP of Compliance: August 2020

What is FISMA?

FISMA is the Federal Information Security Management Act. It is a high-level law that mandates a level of cybersecurity for all federal agencies and federal contractors. It was enacted by Congress in 2002 and updated in 2014.

While FISMA delegates cybersecurity responsibility to the various federal departments and agencies, it also centralizes a significant amount of cybersecurity functions (including mandates) to the Department of Homeland Security (DHS) and leaves the nitty-gritty standards and guidelines to the National Institute of Standards and Technology (NIST) to hammer out. 

The direct FISMA mandates on federal agencies are the following:

  • Periodic risk assessments
  • Policies and procedures that are based on risk assessments
  • Subordinate plans for cybersecurity
  • Security awareness training
  • Annual testing and evaluation of information security policies and procedures
  • Remedial action to correct security flaws
  • Security incident detection, reporting, and response procedures
  • Business continuity plans
  • Notification on data breaches

The indirect FISMA mandates on agencies and contractors that flow through NIST via the NIST standards are exhaustive and located in SP-800-53. It contains over 500 pages of controls that entities must choose from depending on whether their information systems are deemed low impact, medium impact, or high impact.

While the SP 800-53 controls are beyond the scope of this article, I recommend that you take a look at how detailed and complicated the control document is here

Building and maintaining a cybersecurity system using SP 800-53 is no easy task and requires a team of highly skilled professionals to guide you through it. At Digital Edge, we have such a team ready to go and would be happy to assist.


Keith J. Barry, Esq.
VP of Compliance

Keith J. Barry joined Digital Edge in 2013. Keith possesses a BA in Computer Science, a Juris Doctor degree from Brooklyn Law School, as well as several industry certifications including AWS Cloud Architect, CompTIA Network+, and CompTIA Server+. His career has mirrored his diverse interests, and Keith has experience on the technical side as a senior systems administrator, and on the legal/business side as an attorney and cybersecurity compliance officer.

Was this article helpful?