Federal Information Security Management Act (FISMA) report

This report displays FISMA issues found on your site. Many web application vulnerabilities might lead to security breaches of personal information, directly or indirectly, and might be considered as violations of the regulation.

Why it matters

The Federal Information Security Management Act (FISMA) was passed by Congress and signed into law by the President as part of the Electronic Government Act of 2002. It provides a framework to ensure comprehensive measures are taken to secure federal information and assets. FISMA compliance is a matter of national security, and is therefore scrutinized at the highest level of government. Because the Act applies to the information and information systems used by the agency, contractors, and other organizations, it has a wider applicability than previous security laws. Agency IT security programs apply to all organizations that possess or use Federal information - or which operate, use, or have access to Federal information systems - on behalf of a Federal agency, including contractors, grantees, State and local governments, and industry partners. Therefore, Federal security requirements continue to apply, making the agency responsible for ensuring appropriate security controls.

Federal agencies must transmit an annual report on their compliance with IT security requirements to the Office of Management and Budget (OMB) by October of each year. OMB uses the reports to help evaluate government-wide security performance, develop its annual security report to Congress, assist in improving and maintaining adequate agency security performance, and inform development of the E-Government Scorecard under the President's Management Agenda. The report must summarize the results of annual IT security reviews of systems and programs, and any progress the agency has made toward fulfilling their FISMA goals and milestones.

FISMA compliance requires detailed reporting and measurements on cyber security for the agency, both on the existing risks as well as the remediation plans. Verifying compliance for every IT system within the organization requires comprehensive validation testing and remediation planning with coordinated reporting and information flow to allow the Agency head to accurately report on their current FISMA compliance status.

Organizations lacking a centralized IT function and the foundational processes and procedures required for testing and reporting on the various IT systems must build this infrastructure from scratch and are under significant time pressure, which in turn leaves little room for error. Most government agencies have hundreds, if not thousands, of systems that comprise the IT/IS infrastructure. These numbers exacerbate the compliance reporting requirements and ultimately lead to FISMA compliance failure. Coupled with limited funding and potential misinterpretations of the requirements, many agencies are in dire compliance shape.