FISMA & Federal Information Security

The Federal Information Security Modernization Act (FISMA 2014) — codified at 44 U.S.C. §§ 3551–3559 — is the primary federal law requiring government agencies to develop, implement, and maintain information security programs to protect federal data and systems, creating a framework of risk management, continuous monitoring, and incident reporting that governs cybersecurity across more than 14,000 federal information systems in 100+ agencies. FISMA divides cybersecurity responsibility among three entities: CISA (the Cybersecurity and Infrastructure Security Agency, within DHS) handles operational cybersecurity response, threat intelligence sharing, and incident coordination; OMB sets policy and oversight standards; and NIST (National Institute of Standards and Technology) develops the technical standards and guidelines — including the widely adopted NIST Risk Management Framework (RMF) and NIST SP 800-53 (security controls catalog) — that agencies use to categorize systems, implement controls, assess risks, and authorize systems for operation. FISMA requires each agency to conduct an annual independent evaluation of its information security program and report results to OMB and Congress — the annual FISMA report cards have historically shown that many agencies struggle with basic security hygiene. The SolarWinds hack (2020) — which breached dozens of federal agencies through a compromised software update — revealed fundamental gaps in FISMA's detection capabilities and prompted CISA's continuous monitoring and zero-trust architecture push. The Trump administration's DOGE initiative raised significant FISMA-related concerns in 2025, as security officials questioned whether DOGE's systems access to federal data complied with the Act's authorization and audit requirements.

Current Law (2026)

Legal Authority

• 44 U.S.C. § 3551 — Purposes (provide comprehensive framework for ensuring effectiveness of information security controls over federal information and systems — building on the E-Government Act framework; recognize importance of information security to economic and national security)
• 44 U.S.C. § 3553 — Authority and functions of the Director of OMB (oversee agency information security policies; develop standards and guidelines in consultation with NIST; require agencies to identify and protect information systems)
• 44 U.S.C. § 3554 — Federal agency responsibilities (each agency must implement information security program; agency head is responsible; designate Chief Information Security Officer; conduct risk assessments; implement security controls; plan for continuity of operations)
• 44 U.S.C. § 3555 — Annual independent evaluation (Inspector General conducts annual evaluation of agency's information security program; tests effectiveness of controls; reports to OMB)
• 44 U.S.C. § 3556 — Federal information security incident center (CISA operates the federal incident response center; provides technical assistance; compiles and analyzes incident data)
• 44 U.S.C. § 3559 — Federal penetration testing (agencies must conduct regular vulnerability assessments and penetration testing)

Implementing Regulations (CFR)

• 6 CFR 158.201 — CISA cybersecurity mission (operational cybersecurity responsibilities for federal information systems under FISMA)
• 6 CFR 158.612 — Local cybersecurity talent market supplement (compensation authorities for cybersecurity workforce supporting FISMA implementation)

How It Works

FISMA establishes the legal framework for protecting federal government information systems from cyber threats. It requires every federal agency to develop, implement, and maintain a comprehensive information security program — and provides the oversight structure to ensure compliance.

FISMA operates through a clear hierarchy: OMB sets government-wide cybersecurity policy; NIST develops the technical standards agencies must follow — most importantly the Risk Management Framework (NIST SP 800-37) and the security controls catalog (NIST SP 800-53); CISA provides operational services including threat intelligence, incident response, and vulnerability scanning; and agency heads bear ultimate responsibility for their agency's cybersecurity, each designating a Chief Information Security Officer (CISO). At the core of FISMA is a risk-based approach: agencies categorize their systems by impact level (low, moderate, high) based on breach consequences, select controls from NIST SP 800-53 proportional to that risk, implement and assess those controls, and continuously monitor — a cycle defined in the RMF, not a one-time audit.

FISMA requires extensive annual reporting: agencies submit cybersecurity metrics to OMB, each agency's Inspector General conducts an independent annual evaluation, major incidents must be reported to CISA and Congress, and OMB compiles the annual FISMA report summarizing the federal enterprise's security posture. Critics long noted that the framework's original compliance emphasis — documenting that controls exist — came at the expense of actual security effectiveness. The 2014 modernization and subsequent executive orders have shifted toward continuous monitoring, automated tools, and outcome-based metrics. Executive Order 14028 (2021) accelerated zero-trust adoption, multi-factor authentication, encryption, and software supply chain security requirements across the federal government, extending FISMA's reach well beyond its original documentation-focused intent.

OMB Memorandum M-22-09 — Federal Zero Trust Architecture Strategy

OMB Memorandum M-22-09 ("Moving the U.S. Government Toward Zero Trust Cybersecurity Principles," January 26, 2022) is the operational mandate that transformed zero trust from a cybersecurity concept into a binding federal requirement with specific deadlines. Issued by OMB Director Shalanda Young in response to Executive Order 14028 (May 2021, which followed the SolarWinds breach), M-22-09 gave all executive branch agencies until the end of Fiscal Year 2024 (September 30, 2024) to achieve a defined set of zero trust architecture goals across five technology pillars.

The core logic of zero trust is a departure from the traditional "castle-and-moat" model of federal cybersecurity, in which the perimeter firewall is the primary defense and anything inside the network is implicitly trusted. Zero trust assumes that any device, user, or system — including those already inside the network — may be compromised. Every access request must be verified continuously based on the identity of the user, the health of the device, and the sensitivity of the resource being accessed. The SolarWinds attack demonstrated exactly why the perimeter model fails: attackers who compromise a trusted software update mechanism gain trusted access to everything inside the network without ever breaching the firewall.

The Five Zero Trust Pillars (drawn from CISA's Zero Trust Maturity Model, which M-22-09 directs agencies to use as their implementation framework):

1. Identity: Agencies must implement phishing-resistant multi-factor authentication (MFA) for all agency staff — not SMS or email-based codes, but hardware security keys, PIV cards, or authenticator apps with cryptographic verification. Privileged users (system administrators) must use phishing-resistant MFA for all access. Agencies must maintain enterprise-wide identity management systems that can enforce least-privilege access (users get only the minimum access needed for their job) and automatically revoke access when roles change.

2. Devices: Agencies must maintain a complete, current inventory of all devices authorized to access agency resources. Endpoint Detection and Response (EDR) software — which monitors device behavior for indicators of compromise — must be deployed across all agency endpoints. Devices must be validated as meeting security standards before being granted access to agency networks and applications.

3. Networks: All DNS requests from agency systems must be encrypted using HTTPS or DNS-over-HTTPS/TLS. All HTTP traffic must be converted to HTTPS (building on the earlier OMB M-15-13 HTTPS mandate). Agencies must begin implementing network micro-segmentation — dividing flat networks into smaller zones so that a breach in one zone cannot propagate laterally across the entire network. Encrypted traffic inspection must be implemented to monitor for threats within encrypted connections.

4. Applications and Workloads: All internet-accessible agency applications must be enrolled in an approved vulnerability disclosure program — a formal mechanism for security researchers to responsibly report vulnerabilities. Agencies must treat all applications, including internally developed ones, as untrusted by default and verify access to each application based on identity and device posture rather than network location.

5. Data: Agencies must implement at least a basic data categorization scheme — cataloging what sensitive data they hold, where it lives, and who can access it. Encryption at rest and in transit must be applied to all sensitive data. Data access must be monitored and logged.

Implementation deadlines and accountability: M-22-09 required agencies to designate a Zero Trust implementation lead within 30 days of issuance and submit a Zero Trust implementation plan to CISA and OMB within 60 days. The FY2024 endpoint was the deadline for achieving the specific goals across all five pillars. Progress was tracked through CISA's ongoing coordination with agency CISOs and through OMB's annual FISMA reporting.

CISA's supporting role: CISA serves as the operational partner for zero trust implementation. CISA's Zero Trust Maturity Model provides a five-level maturity scale (Traditional → Initial → Advanced → Optimal) for each pillar, giving agencies a roadmap for phased progress. CISA operates the Continuous Diagnostics and Mitigation (CDM) program, which provides federal agencies with centrally procured tools for asset inventory, vulnerability management, and network monitoring — the building blocks of zero trust implementation. Agencies that have not fully enrolled in CDM are working with older, less integrated toolsets.

Implementation against the FY2024 deadline was mixed. Most large agencies achieved the identity pillar requirements (phishing-resistant MFA deployment) and made progress on the device pillar (EDR deployment, asset inventory). Network micro-segmentation and data categorization — more architecturally complex — lagged at many agencies. GAO and agency IG reviews through 2024–2025 found that roughly half of CFO Act agencies had not fully met all M-22-09 goals by the FY2024 deadline, with data and network pillars most commonly incomplete.

How It Affects You

If you're a federal employee: FISMA obligations aren't abstract — they show up in your daily work. Annual security awareness training is mandatory at every federal agency (most agencies use KnowBe4 or similar platforms; completion is tracked). Multi-factor authentication (MFA) is required for all federal systems under Executive Order 14028 (2021) and OMB M-22-09 — if your agency hasn't implemented PIV cards or authenticator apps for all systems, that's a compliance gap, not optional. Incident reporting is the obligation most employees underestimate: under OMB M-20-04, federal employees who discover a major cybersecurity incident must report it to their agency CISO immediately (within the hour for incidents affecting "high impact" systems). Major is broadly defined — unauthorized access to any federal system counts. If you suspect a breach or see suspicious system activity, don't try to investigate yourself: contact your agency's SOC or CISO immediately, and don't use personal devices or email to discuss federal system vulnerabilities. Controlled Unclassified Information (CUI) handling requirements also flow from FISMA — federal data marked CUI has specific marking, storage, transmission, and destruction requirements regardless of classification level.

If you're a government contractor handling federal information: The key clause to understand is DFARS 252.204-7012 (for DoD contractors) — it requires you to implement the 110 security controls in NIST SP 800-171, report cyber incidents to the DoD Cyber Crime Center (DC3) within 72 hours of discovery, and preserve images of compromised systems. The Cybersecurity Maturity Model Certification (CMMC 2.0) program — being phased in through 2026 — requires defense contractors handling Controlled Unclassified Information (CUI) to achieve Level 2 certification (which maps directly to NIST SP 800-171). For cloud services: any cloud product used by a federal agency to process, store, or transmit federal data must have a FedRAMP authorization — either an agency Authorization to Operate (ATO) or a FedRAMP Marketplace listing. If you're selling cloud software to federal agencies, check your FedRAMP status early: the authorization process takes 6-18 months and can block procurement. These requirements increasingly flow down to subcontractors — even if you don't have a direct government contract, if your customer does, you may be subject to FISMA-derived obligations.

If you're a cybersecurity professional working in or with government: The foundational documents are NIST SP 800-53 Rev 5 (the security controls catalog — 1,189 controls organized into 20 families, from Access Control to Supply Chain Risk Management) and NIST SP 800-37 Rev 2 (the Risk Management Framework — the 6-step cycle: Categorize → Select → Implement → Assess → Authorize → Monitor). The NIST Cybersecurity Framework (CSF) 2.0, released February 2024, added "Govern" as a sixth core function alongside Identify/Protect/Detect/Respond/Recover — signaling NIST's shift toward making cybersecurity governance a board-level concern, not just a technical one. CISA's Continuous Diagnostics and Mitigation (CDM) program provides free tools to participating agencies for asset inventory, vulnerability detection, and network monitoring — if you work at a federal agency that hasn't enrolled, that's a missed resource. Zero-trust architecture is now a mandate: OMB M-22-09 (Jan 2022) requires agencies to meet specific zero-trust goals by FY2024, including device-level identity validation and encrypted internal traffic — implementation is still incomplete at many agencies and represents years of contractor work.

If you're a citizen concerned about your federal data: FISMA is supposed to protect the personal information federal agencies hold about you — IRS tax records, VA health records, CMS Medicare data, OPM personnel files, CBP travel records. The 2015 OPM breach — 21.5 million records stolen including background investigation SF-86 forms and fingerprints — is the benchmark for FISMA's worst failure. Unlike HIPAA (which requires patient notification within 60 days) or state data breach laws (which require consumer notification), FISMA has no standard requirement to notify individuals whose data was compromised — agencies follow OMB guidance, which varies. What FISMA does require is that major incidents be reported to Congress within 7 days and to CISA immediately. The DOGE access controversy in 2025 — in which DOGE personnel accessed Treasury payment systems, IRS taxpayer data, and HHS databases — raised specific FISMA questions: FISMA requires that access to federal systems be authorized through the agency's ATO process, with documented access rights and audit logs. OMB's Inspector General and GAO are the accountability mechanisms if you believe a federal system breach affected your data; you can also contact the agency's Inspector General directly.

State Variations

FISMA applies exclusively to federal information systems. However, NIST frameworks and standards are widely adopted by state and local governments and the private sector as well.

Pending Legislation

• HR 6429 — Expanding Cybersecurity Workforce Act. Creates new pathways for recruiting cybersecurity professionals into federal service. Status: Introduced.
• HR 7266 — Rural and Municipal Utility Cybersecurity Act. Authorizes $250 million for FY 2026-2030 to improve cybersecurity at rural and municipal utilities. Status: Introduced.
• HR 8110 — Cyber Ready Workforce Act. Establishes cybersecurity apprenticeship and training programs for the federal workforce. Status: Introduced.
• S 3404 — Satellite Cybersecurity Act. Establishes cybersecurity requirements for commercial satellite systems. Status: Introduced.
• HR 6584 — Cyber Talent Development and Recruitment Act. Creates recruitment incentives and career development programs for federal cybersecurity positions. Status: Introduced.
• HR 6309 — Cyber Deterrence and Response Act. Authorizes sanctions against state-sponsored cyber actors targeting U.S. systems. Status: Introduced.

Recent Developments

• Zero-trust architecture adoption is the dominant cybersecurity initiative across federal agencies, driven by EO 14028 and OMB directives
• The 2015 OPM breach and subsequent incidents have driven significant increases in federal cybersecurity investment
• CISA's role as the operational lead for federal cybersecurity has expanded, providing shared services and threat intelligence across agencies
• FedRAMP (Federal Risk and Authorization Management Program) streamlines cloud security authorization for federal agencies
• Software supply chain security has become a major focus following high-profile supply chain attacks (SolarWinds, Log4j)
• In April 2026, the White House unveiled President Trump's cyber strategy, outlining federal priorities for cybersecurity defense, critical infrastructure protection, and deterrence of state-sponsored cyber threats.