Skip to main content
> FISMA

Federal Information Security Modernization Act

Cybersecurity framework for federal agencies and their contractors

Governing Body: U.S. Office of Management and Budget (OMB) / CISA
Established: 2002 (FISMA); 2014 (Modernization Act) Last Updated: 2023 (FISMA Metrics Updates) Scope: U.S. Federal Agencies and Contractors
20
NIST Control Families

What does FISMA require federal agencies and contractors to do?

The Federal Information Security Modernization Act (FISMA) requires every federal agency to run a documented, risk-based information security program aligned with NIST standards. In practice that means categorizing each system by impact level under [FIPS 199](https://csrc.nist.gov/publications/detail/fips/199/final), selecting and implementing controls from [NIST SP 800-53](https://csrc.nist.gov/publications/detail/sp/800-53/5-0/final), and obtaining an Authorization to Operate (ATO) before a system goes live. Contractors and cloud providers handling federal data carry the same obligations. OMB issues annual implementation guidance; the current memo, [M-25-04](https://whitehouse.gov/wp-content/uploads/2025/01/M-25-04-Fiscal-Year-2025-Guidance-on-Federal-Information-Security-and-Privacy-Management-Requirements.pdf) (January 2025), adds automated endpoint detection and response (EDR) metrics to the annual reporting scorecard. FedRAMP applies this same framework to cloud services.

// What is FISMA?

FISMA establishes a comprehensive framework for securing federal government information systems. The law requires federal agencies to develop, document, and implement agency-wide information security programs to protect data and systems.

FISMA mandates risk-based security controls aligned with NIST guidelines, particularly NIST SP 800-53. Agencies must categorize systems by impact level, implement appropriate controls, assess effectiveness, and authorize systems before operation. Continuous monitoring and annual reporting to Congress are required.

Contractors and third parties operating systems on behalf of federal agencies must also comply with FISMA requirements, making it essential for organizations in the federal supply chain to understand and implement these standards.

// Inside the Regulation

FISMA compliance follows the Risk Management Framework (RMF) defined in NIST SP 800-37, with security controls from NIST SP 800-53. The framework provides a structured approach to managing information security risk.

1

Risk Management Framework Steps

FISMA compliance follows the six-step NIST Risk Management Framework for system authorization.

Categorize

Determine system impact level (Low, Moderate, High) based on FIPS 199 criteria for confidentiality, integrity, and availability.

Select

Choose appropriate security controls from NIST SP 800-53 based on system categorization and organizational requirements.

Implement

Deploy selected security controls and document implementation details in the System Security Plan (SSP).

Assess

Evaluate control effectiveness through testing and examination; document results in Security Assessment Report (SAR).

Authorize

Authorizing Official reviews security package and issues Authorization to Operate (ATO) decision.

Monitor

Continuously monitor controls, report security status, and manage ongoing authorization.

2

Key Documentation

FISMA requires detailed security documentation throughout the system lifecycle.

System Security Plan (SSP)

Documents system boundaries, security controls, and implementation details. Foundation of the authorization package.

Security Assessment Report (SAR)

Results of security control assessment including findings, recommendations, and risk determinations.

Plan of Action & Milestones (POA&M)

Tracks security weaknesses, remediation plans, and milestone dates for addressing deficiencies.

Authorization Decision

Formal ATO, Denial of Authorization, or Interim Authorization from the Authorizing Official.

3

Reporting Requirements

FISMA mandates regular security reporting to OMB and Congress.

Annual FISMA Report

Agencies report on security program status, incidents, and compliance metrics to OMB annually.

CyberScope Reporting

Quarterly and monthly reporting through DHS CyberScope system on security metrics and incidents.

Inspector General Audits

Annual independent evaluation of agency information security program by the IG.

Note: FISMA was modernized in 2014 to emphasize continuous monitoring over point-in-time compliance. The update shifted focus from paperwork to real-time security awareness and automated monitoring capabilities. CISA provides operational guidance and coordinates federal cybersecurity efforts.

// Who Must Comply

  • 1 All federal executive branch agencies
  • 2 Federal contractors operating information systems for agencies
  • 3 Grantees and organizations receiving federal funding with data handling
  • 4 State agencies administering federal programs
  • 5 Cloud service providers serving federal agencies (via FedRAMP)

// Key Requirements

Risk Assessment

Periodic assessment of information security risks to operations, assets, and individuals

Security Planning

Detailed System Security Plans documenting controls and implementation

Security Controls

Implementation of NIST SP 800-53 controls appropriate to system risk level

Security Assessment

Regular testing and evaluation of security control effectiveness

Continuous Monitoring

Ongoing awareness of vulnerabilities, threats, and security posture

Incident Response

Capabilities for detecting, reporting, and responding to security incidents

// Enforcement & Penalties

FISMA non-compliance can result in budget impacts, contract issues, and reputational consequences. Agencies face congressional scrutiny and potential budget restrictions. Contractors may lose contracts or face termination for non-compliance.

Maximum Penalty

Contract termination; agency budget impacts; IG findings

Examples:

  • Congressional scrutiny and negative IG audit findings
  • Budget restrictions for agencies with poor FISMA scores
  • Contract termination for non-compliant contractors
  • Removal from approved vendor lists
  • Increased oversight and remediation requirements

// Cyber Insurance Impact

FISMA compliance demonstrates mature security practices aligned with federal standards. Organizations with strong FISMA compliance programs may receive favorable cyber insurance terms, particularly for policies covering government contract work.

// How Breach Craft Helps

We help organizations achieve FISMA compliance through genuine security improvements, not checkbox exercises. Our services address the specific requirements and challenges of FISMA.

Gap Assessment

Measure your security against industry standards.

Learn more

Penetration Testing

Find the gaps before attackers do.

Learn more

Virtual CISO

Executive security leadership on demand.

Learn more

Vulnerability Assessment

Thorough security scanning and risk prioritization.

Learn more

// Common Questions

Who must comply with FISMA?
FISMA applies to all federal executive branch agencies and to any organization that operates an information system on an agency's behalf. That includes contractors, grantees, state agencies running federally funded programs, and cloud service providers serving federal customers. Cloud providers go through FedRAMP authorization, which is essentially FISMA applied to shared cloud services. If your contract involves accessing, processing, or storing federal data, FISMA requirements flow down to you through the agency's system boundary.

What is an Authorization to Operate (ATO)?
An ATO is the formal decision by an Authorizing Official (AO) that a federal information system's risk is acceptable and the system may operate. Earning an ATO requires completing the NIST Risk Management Framework: categorize the system, select and implement NIST SP 800-53 controls, document them in a System Security Plan, assess them through independent testing, and present the full security package for the AO to review. ATOs are not permanent; continuous monitoring and periodic reassessment keep the authorization current. Contractors often need their system to hold its own ATO or operate under an agency's existing ATO boundary.

How does FISMA relate to NIST SP 800-53 and FedRAMP?
FISMA is the statute; NIST SP 800-53 is the control catalog it mandates agencies use. Think of FISMA as the law and 800-53 as the technical rulebook. FedRAMP applies that same combination to cloud services: a cloud provider authorizes once through FedRAMP and agencies can reuse that authorization instead of each building their own. CISA coordinates federal FISMA implementation, while OMB issues annual reporting guidance (currently M-25-04 for FY 2025).

What are the consequences of FISMA non-compliance for contractors?
For contractors, FISMA non-compliance puts the contract at risk. Agencies can terminate for default, remove a vendor from approved lists, or require costly remediation at the contractor's expense. Inspector General audits surface contractor security gaps to Congress, which can trigger additional scrutiny. Beyond formal penalties, an expired or denied ATO stops the program clock: a contractor whose system can't get authorized can't deliver the work. Preparing a solid security package before the authorization review is far less expensive than failing it.

// Related Frameworks

FedRAMP NIST CSF CMMC

// Industries That Need FISMA

These industries commonly require FISMA compliance as part of their regulatory obligations.

Government

Guide last reviewed: June 16, 2026

Ready to Strengthen Your Defenses?

Schedule a free consultation with our security experts to discuss your organization's needs.

Schedule Consultation Call Us

Or call us directly at (445) 273-2873