PRIA Logo
Start Free Watch
Back to search
GovernmentGovernment Operations & Accountability

FISMA & Federal Information Security

8 min read·Updated Apr 21, 2026

FISMA & Federal Information Security

The Federal Information Security Modernization Act (FISMA 2014) — codified at 44 U.S.C. §§ 3551–3559 — is the primary federal law requiring government agencies to develop, implement, and maintain information security programs to protect federal data and systems, creating a framework of risk management, continuous monitoring, and incident reporting that governs cybersecurity across more than 14,000 federal information systems in 100+ agencies. FISMA divides cybersecurity responsibility among three entities: CISA (the Cybersecurity and Infrastructure Security Agency, within DHS) handles operational cybersecurity response, threat intelligence sharing, and incident coordination; OMB sets policy and oversight standards; and NIST (National Institute of Standards and Technology) develops the technical standards and guidelines — including the widely adopted NIST Risk Management Framework (RMF) and NIST SP 800-53 (security controls catalog) — that agencies use to categorize systems, implement controls, assess risks, and authorize systems for operation. FISMA requires each agency to conduct an annual independent evaluation of its information security program and report results to OMB and Congress — the annual FISMA report cards have historically shown that many agencies struggle with basic security hygiene. The SolarWinds hack (2020) — which breached dozens of federal agencies through a compromised software update — revealed fundamental gaps in FISMA's detection capabilities and prompted CISA's continuous monitoring and zero-trust architecture push. The Trump administration's DOGE initiative raised significant FISMA-related concerns in 2025, as security officials questioned whether DOGE's systems access to federal data complied with the Act's authorization and audit requirements.

Current Law (2026)

ParameterValue
Core statuteFederal Information Security Modernization Act (FISMA 2014), codified at 44 U.S.C. §§ 3551-3559
Primary agenciesCISA (DHS) — operational cybersecurity; OMB — policy oversight; NIST — standards and guidelines
NIST frameworkRisk Management Framework (RMF); NIST SP 800-53 (security controls); NIST Cybersecurity Framework
Federal systems~14,000+ federal information systems across 100+ agencies
Annual reportingAgencies must report cybersecurity metrics to OMB and Congress; annual FISMA report
Inspector General auditsAnnual independent evaluations of each agency's information security program
Incident reportingMajor incidents must be reported to CISA, OMB, and Congress within specified timeframes
  • 44 U.S.C. § 3551 — Purposes (provide comprehensive framework for ensuring effectiveness of information security controls over federal information and systems — building on the E-Government Act framework; recognize importance of information security to economic and national security)
  • 44 U.S.C. § 3553 — Authority and functions of the Director of OMB (oversee agency information security policies; develop standards and guidelines in consultation with NIST; require agencies to identify and protect information systems)
  • 44 U.S.C. § 3554 — Federal agency responsibilities (each agency must implement information security program; agency head is responsible; designate Chief Information Security Officer; conduct risk assessments; implement security controls; plan for continuity of operations)
  • 44 U.S.C. § 3555 — Annual independent evaluation (Inspector General conducts annual evaluation of agency's information security program; tests effectiveness of controls; reports to OMB)
  • 44 U.S.C. § 3556 — Federal information security incident center (CISA operates the federal incident response center; provides technical assistance; compiles and analyzes incident data)
  • 44 U.S.C. § 3559 — Federal penetration testing (agencies must conduct regular vulnerability assessments and penetration testing)

Implementing Regulations (CFR)

  • 6 CFR 158.201 — CISA cybersecurity mission (operational cybersecurity responsibilities for federal information systems under FISMA)
  • 6 CFR 158.612 — Local cybersecurity talent market supplement (compensation authorities for cybersecurity workforce supporting FISMA implementation)

How It Works

FISMA establishes the legal framework for protecting federal government information systems from cyber threats. It requires every federal agency to develop, implement, and maintain a comprehensive information security program — and provides the oversight structure to ensure compliance.

FISMA operates through a clear hierarchy: OMB sets government-wide cybersecurity policy; NIST develops the technical standards agencies must follow — most importantly the Risk Management Framework (NIST SP 800-37) and the security controls catalog (NIST SP 800-53); CISA provides operational services including threat intelligence, incident response, and vulnerability scanning; and agency heads bear ultimate responsibility for their agency's cybersecurity, each designating a Chief Information Security Officer (CISO). At the core of FISMA is a risk-based approach: agencies categorize their systems by impact level (low, moderate, high) based on breach consequences, select controls from NIST SP 800-53 proportional to that risk, implement and assess those controls, and continuously monitor — a cycle defined in the RMF, not a one-time audit.

FISMA requires extensive annual reporting: agencies submit cybersecurity metrics to OMB, each agency's Inspector General conducts an independent annual evaluation, major incidents must be reported to CISA and Congress, and OMB compiles the annual FISMA report summarizing the federal enterprise's security posture. Critics long noted that the framework's original compliance emphasis — documenting that controls exist — came at the expense of actual security effectiveness. The 2014 modernization and subsequent executive orders have shifted toward continuous monitoring, automated tools, and outcome-based metrics. Executive Order 14028 (2021) accelerated zero-trust adoption, multi-factor authentication, encryption, and software supply chain security requirements across the federal government, extending FISMA's reach well beyond its original documentation-focused intent.

How It Affects You

If you're a federal employee: FISMA obligations aren't abstract — they show up in your daily work. Annual security awareness training is mandatory at every federal agency (most agencies use KnowBe4 or similar platforms; completion is tracked). Multi-factor authentication (MFA) is required for all federal systems under Executive Order 14028 (2021) and OMB M-22-09 — if your agency hasn't implemented PIV cards or authenticator apps for all systems, that's a compliance gap, not optional. Incident reporting is the obligation most employees underestimate: under OMB M-20-04, federal employees who discover a major cybersecurity incident must report it to their agency CISO immediately (within the hour for incidents affecting "high impact" systems). Major is broadly defined — unauthorized access to any federal system counts. If you suspect a breach or see suspicious system activity, don't try to investigate yourself: contact your agency's SOC or CISO immediately, and don't use personal devices or email to discuss federal system vulnerabilities. Controlled Unclassified Information (CUI) handling requirements also flow from FISMA — federal data marked CUI has specific marking, storage, transmission, and destruction requirements regardless of classification level.

If you're a government contractor handling federal information: The key clause to understand is DFARS 252.204-7012 (for DoD contractors) — it requires you to implement the 110 security controls in NIST SP 800-171, report cyber incidents to the DoD Cyber Crime Center (DC3) within 72 hours of discovery, and preserve images of compromised systems. The Cybersecurity Maturity Model Certification (CMMC 2.0) program — being phased in through 2026 — requires defense contractors handling Controlled Unclassified Information (CUI) to achieve Level 2 certification (which maps directly to NIST SP 800-171). For cloud services: any cloud product used by a federal agency to process, store, or transmit federal data must have a FedRAMP authorization — either an agency Authorization to Operate (ATO) or a FedRAMP Marketplace listing. If you're selling cloud software to federal agencies, check your FedRAMP status early: the authorization process takes 6-18 months and can block procurement. These requirements increasingly flow down to subcontractors — even if you don't have a direct government contract, if your customer does, you may be subject to FISMA-derived obligations.

If you're a cybersecurity professional working in or with government: The foundational documents are NIST SP 800-53 Rev 5 (the security controls catalog — 1,189 controls organized into 20 families, from Access Control to Supply Chain Risk Management) and NIST SP 800-37 Rev 2 (the Risk Management Framework — the 6-step cycle: Categorize → Select → Implement → Assess → Authorize → Monitor). The NIST Cybersecurity Framework (CSF) 2.0, released February 2024, added "Govern" as a sixth core function alongside Identify/Protect/Detect/Respond/Recover — signaling NIST's shift toward making cybersecurity governance a board-level concern, not just a technical one. CISA's Continuous Diagnostics and Mitigation (CDM) program provides free tools to participating agencies for asset inventory, vulnerability detection, and network monitoring — if you work at a federal agency that hasn't enrolled, that's a missed resource. Zero-trust architecture is now a mandate: OMB M-22-09 (Jan 2022) requires agencies to meet specific zero-trust goals by FY2024, including device-level identity validation and encrypted internal traffic — implementation is still incomplete at many agencies and represents years of contractor work.

If you're a citizen concerned about your federal data: FISMA is supposed to protect the personal information federal agencies hold about you — IRS tax records, VA health records, CMS Medicare data, OPM personnel files, CBP travel records. The 2015 OPM breach — 21.5 million records stolen including background investigation SF-86 forms and fingerprints — is the benchmark for FISMA's worst failure. Unlike HIPAA (which requires patient notification within 60 days) or state data breach laws (which require consumer notification), FISMA has no standard requirement to notify individuals whose data was compromised — agencies follow OMB guidance, which varies. What FISMA does require is that major incidents be reported to Congress within 7 days and to CISA immediately. The DOGE access controversy in 2025 — in which DOGE personnel accessed Treasury payment systems, IRS taxpayer data, and HHS databases — raised specific FISMA questions: FISMA requires that access to federal systems be authorized through the agency's ATO process, with documented access rights and audit logs. OMB's Inspector General and GAO are the accountability mechanisms if you believe a federal system breach affected your data; you can also contact the agency's Inspector General directly.

State Variations

FISMA applies exclusively to federal information systems. However, NIST frameworks and standards are widely adopted by state and local governments and the private sector as well.

Pending Legislation

  • HR 6429 — Expanding Cybersecurity Workforce Act. Creates new pathways for recruiting cybersecurity professionals into federal service. Status: Introduced.
  • HR 7266 — Rural and Municipal Utility Cybersecurity Act. Authorizes $250 million for FY 2026-2030 to improve cybersecurity at rural and municipal utilities. Status: Introduced.
  • HR 8110 — Cyber Ready Workforce Act. Establishes cybersecurity apprenticeship and training programs for the federal workforce. Status: Introduced.
  • S 3404 — Satellite Cybersecurity Act. Establishes cybersecurity requirements for commercial satellite systems. Status: Introduced.
  • HR 6584 — Cyber Talent Development and Recruitment Act. Creates recruitment incentives and career development programs for federal cybersecurity positions. Status: Introduced.
  • HR 6309 — Cyber Deterrence and Response Act. Authorizes sanctions against state-sponsored cyber actors targeting U.S. systems. Status: Introduced.

Recent Developments

  • Zero-trust architecture adoption is the dominant cybersecurity initiative across federal agencies, driven by EO 14028 and OMB directives
  • The 2015 OPM breach and subsequent incidents have driven significant increases in federal cybersecurity investment
  • CISA's role as the operational lead for federal cybersecurity has expanded, providing shared services and threat intelligence across agencies
  • FedRAMP (Federal Risk and Authorization Management Program) streamlines cloud security authorization for federal agencies
  • Software supply chain security has become a major focus following high-profile supply chain attacks (SolarWinds, Log4j)
  • In April 2026, the White House unveiled President Trump's cyber strategy, outlining federal priorities for cybersecurity defense, critical infrastructure protection, and deterrence of state-sponsored cyber threats.