2.3 Federal Information Security Modernization Act (2002)
The Federal Information Security Modernization Act (FISMA), first enacted in 2002 and updated in December 2014, established roles and responsibilities for OMB, DHS, and agency CIOs to provide accountability for the delivery of information security capabilities. (CISA. Federal Information Security Modernization Act.) The 2014 FISMA update simplifies existing reporting to eliminate inefficient or wasteful reporting, while adding new reporting requirements for major information security incidents. FISMA requires the head of each Federal agency to provide information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems. Additionally, FISMA requires agency heads to report on the adequacy and effectiveness of the information security policies, procedures, and practices of their enterprise. (CISA. Fiscal Year 2020 CIO FISMA Metrics.)
FISMA requires agencies to report the status of their information security programs to OMB and requires Inspectors General (IG) to conduct annual independent assessments of those programs. OMB and DHS collaborate with interagency partners to develop the CIO FISMA metrics, and with IG partners to develop the IG FISMA metrics to facilitate these processes. OMB also works with the Federal privacy community to develop [SAOP] metrics. These three sets of metrics together provide a comprehensive picture of an agency's cybersecurity and privacy performance. (OMB M-20-04. Fiscal Year 2019-2020 Guidance on Federal Information Security and Privacy Management Requirements. 11/19/2019.)
The legislation also provides DHS with authority to develop and oversee the implementation of binding operational directives to other agencies, in coordination and consistent with OMB policies and practices. FISMA codifies DHS's authority to administer the implementation of information security policies for non-national security Executive Branch systems, including providing technical assistance and deploying technologies to these systems. It also places the federal information security incident center (a function fulfilled by US-CERT) within DHS by law.
Latest News
AI Transparency Listening Session with the White House Office of Management and Budget
The White House Office of Management and Budget (OMB) is leading a series of listening sessions to learn more from industry about their approaches to AI transparency and auditable risk management.
AI in Action: 5 Essential Findings from the 2024 Federal AI Use Case Inventory
This year, agencies publicly reported more than 1,700 ways they are using Artificial Intelligence (AI) to advance their missions and deliver better experiences to the public.
CISO Council and CDO Council Release Joint Guide on Federal Zero Trust Data Security
Today, the CISO Council and CDO Council released the Federal Zero Trust (ZT) Data Security Guide, a first-of-its-kind document and key deliverable of OMB M-22-09, Moving the U.S. Government Towards Zero Trust Cybersecurity Principles. M-22-09 charged the Federal CDO Council and Federal CISO Council to convene a cross-agency working group of data and security experts to develop a data security guide for Federal agencies.