FISMA Compliance: Definition, Regulations & Requirements 

The acronym FISMA stands for the Federal Information Security Management Act.

If you work for a government agency, or your company hopes to sign contracts to work with the government, security is critical. You must protect sensitive documents, and you must have the paperwork to prove your compliance with a variety of regulations. 

Part of your job involves decoding the alphabet soup of regulations. FISMA is a critical set of rules you must know forwards and backwards.

If you don't understand all of the rules right away, you're certainly not alone. But the harder you dig and the more you learn, the easier compliance will be to achieve.

FISMA Compliance

What Is FISMA?

FISMA is part of the E-Government Act, signed into law in December of 2002. As part of FISMA, government agencies must design, document, and implement programs that keep information safe and secure. 

In 2014, FISMA was amended by the Federal Security Modernization Act. Reporting requirements shifted with this legislation. Agencies have less upfront work to do to prove compliance, but if there's a breach, they have a stronger incentive to report the problem. 

Originally, FISMA requirements applied only to government agencies. But in time, the scope broadened.

Now, you might need to comply with the rules if you hope to work with a government agency. For example, you might need compliance if you hope to bid on a project that is funded by these entities:

  • Medicare or Medicaid
  • The Environmental Protection Agency
  • The Federal Trade Commission
  • The National Transportation Security Board 

If you don't have proof of compliance, you could be deemed ineligible to bid on a project, even if you hope to offer a competitive price.

FISMA Compliance Step by Step 

It can take weeks or months to craft and implement plans that bring your company into compliance with FISMA. But follow a strategic, comprehensive plan, and you're less likely to skip foundational work that would require you to start over again.

Officials recognize four key steps all companies should take as they work toward FISMA compliance.

  • Step 1: Prepare
    What programs are you using right now? How are programs integrated? An information system inventory is a critical part of any FISMA compliance plan, and the work happens during the preparation step.
  • Step 2: Categorize
    With a full inventory prepared, you can create groupings by risk. What items are most likely to be targeted by hackers? What things are they likely to ignore?
  • Step 3: Select
    What security and privacy controls do you need to protect your data? And how will you use them? Use this information to craft a security system plan that outlines what you're doing to protect systems and the data in your care.
  • Step 4: Certify

With system documentation and risk assessments completed, your organization can ask for certification.

As you do your work, you'll notice a few top requirements that every company must meet. They involve:

  • Inventories of information systems. 
  • Categorization and assessments of risk. 
  • System security planning and controls. 
  • Certification and/or accreditation. 
  • Monitoring. 

You'll tackle each item in the steps. And if you find you've missed one, start again to make sure you don't leave out anything important.

What About the Cloud?

As you walk through your system, you may wonder what to do with cloud applications. These functions don't sit on your server, but you're still required to keep the data they house safe. 

The Federal Risk and Authorization Management Program (FedRAMP) can help. This program was created to help organizations like yours learn how to protect cloud data. You can work with groups authorized by FedRAMP, or you can submit your company's products to get authorization. 

If you're using the cloud, or any other data-transfer process, you must consider encryption. Data must be protected as it moves from one place to another, and encryption helps ensure that hackers can't read anything while it's in transit. Officials generally suggest that all companies invest in centralized encryption management.

Why Does FISMA Compliance Matter 

It's clear that companies have plenty of planning and paperwork ahead if they hope to create systems that protect data up to FISMA standards. A major drawback of compliance involves time. You'll need a large and dedicated team to get the work done. 

A breach could be catastrophic. For example, in 2015, the Office of Personnel Management breach exposed at least 4.2 million records.

Get the Help You Need From Okta

By comparison, the benefits of compliance are enormous. Okta works with private organizations and government agencies on compliance plans for FISMA. If you're not sure where to start, or you need a little help ensuring that you're offering the right kind of protection, we can help. Contact us to get started. 

While this article discusses certain legal concepts, it does not constitute legal advice.  It is provided for informational purposes only.  For legal advice regarding your organization's compliance needs, please consult your organization's legal department.  Okta makes no representations, warranties, or other assurances regarding the content of this article.  Information regarding Okta's contractual assurances to its customers can be found at


FISMA Implementation Project. (October 2020). National Institute of Standards and Technology. 

Federal Information Security Modernization Act of 2014. (2013-2014). 

FISMA Implementation Project: Risk Management Framework—Prepare. (October 2020). National Institute of Standards and Technology. 

FISMA Implementation Project: Risk Management Framework—Categorize. (October 2020). National Institute of Standards and Technology.

FISMA Implementation Project: Risk Management Framework—Select. (October 2020). National Institute of Standards and Technology.

FISMA Implementation Project: Risk Management Framework—Monitor. (October 2020). National Institute of Standards and Technology.

About Us. FedRAMP.

Guide to Storage Encryption Technologies for End User Devices. (November 2007). National Institute of Standards and Technology. 

Fixing FISMA, Blaming Someone, and Another Lawsuit. (July 2015). The Business of Federal Technology.