← Glossary·Frameworks

FISMA

Also known as: Federal Information Security Modernization Act
FISMA

US law requiring federal agencies (and their contractors) to implement an information-security program based on NIST standards.

FISMA (44 USC §3551 et seq., modernised 2014) requires US federal agencies to develop, document, and implement an agency-wide information-security program. Compliance is assessed against NIST SP 800-53 controls at the FIPS 199 impact level appropriate to the system.

Why it matters
Federal contractors and shared-service providers inherit FISMA obligations downstream. FISMA findings become public via agency IG reports, creating reputational risk.

Related terms

NIST SP 800-53
NIST catalogue of 1000+ security and privacy controls for federal information systems (Rev 5).
FedRAMP
Standardised US government program for cloud-service authorisation, based on NIST 800-53.
ATO (Authority to Operate)
Formal federal authorisation that an information system may operate at an accepted level of risk.

Does your program actually cover FISMA?

Run a free ComplianceIQ audit against FISMA and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free FISMA auditBack to glossary