Varonis debuts trailblazing features for securing Salesforce. Learn More

Varonis named a Leader in The Forrester Wave™: Data Security Platforms, Q1 2023

Read the report

What is FISMA Compliance? Regulations and Requirements

3 min read
Published March 29, 2020
Last updated February 25, 2022

FISMA stands for the Federal Information Security Management Act, which the United States Congress passed in 2002: it requires federal agencies to implement information security plans to protect sensitive data.

FISMA compliance is data security guidance set by FISMA and the National Institute of Standards and Technology (NIST). NIST is responsible for maintaining and updating the compliance documents as directed by FISMA. More specifically, NIST:

Get the Free Essential Guide to US Data Protection Compliance and Regulations

  • Sets minimum requirements for information security plans and procedures.
  • Recommends types of security (systems, software, etc.) that agencies must implement and approves vendors.
  • Standardizes risk assessment process and sets varying standards of information security based on agency risk assessments. Each agency has different levels of security requirements: the National Security Agency and Housing and Urban Development, for instance, have different risk levels and therefore different security requirements.

Why was FISMA Created?

FISMA was created to require each federal agency to develop, document, and implement a complete information security plan to protect and support the operations of the agency. FISMA is one article in a larger piece of legislation called the E-Government Act, which recognizes the importance of information security to the economic and national interests of the United States.

Congress amended FISMA in 2014 in the Federal Information Security Modernization Act. The amended legislation provided several modifications to the original law that brought FISMA in line with current information security concerns. Agencies are now encouraged to use more continuous monitoring and focus on compliance than what was required in the previous legislation.

Who Needs to Follow FISMA Compliance?

Originally, FISMA only applied to federal agencies. Over time, the law has evolved to cover state agencies that manage federal programs (i.e., Medicare, Medicaid, unemployment insurance, etc.) as well as companies with contracts to work with federal agencies.

That means private sector companies that do business with federal agencies must adhere to the same information security guidelines as the federal agency.

How Do I Become FISMA Compliant?

To be FISMA compliant you need to information security controls across your organization based on the guidance from NIST. Several publications encompass the FISMA guidelines: a good place to start is NIST 800 – 53. You’ll also want to read up on NIST 800 – 171, FIPS 199, FIPS 200, and the other NIST 800 –xx documents.

In general, following the basic data security principles in the Varonis Operational Journey will help get you FISMA compliant (minus the physical space controls, of course).

FISMA requirements include the following:

  • Information System Inventory: FISMA requires every agency to maintain an inventory of all systems and their integrations in use.
  • Risk Categorization: FIPS 199 documents how an agency categorizes their risk and security requirements. Each agency is responsible for maintaining the highest level of security necessary per this document.
  • System Security Plan: FISMA requires that each agency have a security plan in place and a process to make sure the plan is updated regularly.
  • Security Controls: NIST 800-53 defines 20 security controls that each agency must implement to be FISMA compliant.
  • Risk Assessments: Any time an agency makes a change to their systems, they are required to perform a three tiered risk assessment using the Risk Management Framework (RMF).
  • Certification and Accreditation: FISMA requires each agency to conduct yearly security reviews. Agencies must demonstrate they can implement, maintain, and monitor systems to be FISMA compliant.

FISMA requirements

FedRAMP Program

The Federal Risk and Authorization Management Program (FedRAMP) is a new government program that standardizes how agencies can validate cloud-computing services for FISMA compliance. Agencies are looking to cloud-computing options for cost savings – and FedRAMP provides guidance on how to manage risk and validate the cloud services for use by federal agencies.

Any software vendor that wants to work with US government agencies should look into the FedRAMP authorization programs.

FISMA Compliance Benefits

Achieving FISMA compliance increases an agencies’ data security, protects citizens’ private data, and reduces IT related cost to the federal government.

Private sector companies in the current data security climate should implement FISMA compliant solutions for their own data security. Companies have to be FISMA compliant to work with federal agencies, and they get the added benefit of protecting their data from breaches.

Penalties for FISMA Compliance Violations

The loss of federal funding is one of the biggest potential penalties for FISMA compliance violations. For an agency that could be detrimental, but if you are a federal contractor that could be the end of your company.

Other non-monetary penalties could be a loss of reputation due to data breaches and bad press – or even missing out on future federal project bid opportunities. If you depend on federal funds for your company’s ongoing revenue, you need to be FISMA compliant.

FISMA Compliance Best Practices

  • Implement a comprehensive data security plan to classify data, monitor activity, and detect threats to your sensitive data.
  • Stay current with any changes to the FISMA standards.
  • Keep documentation of your FISMA compliance efforts.
  • Encrypt everything: data encryption is a FISMA requirement.

FISMA compliance best practices

Any organization – regardless of federal government involvement – will benefit from a FISMA compliance program. The EU passed GDPR, and there is new legislation in Congress today that redefines PII, and requires annual data risk reports. Privacy and data protection laws are coming to the United States, and it’s a good bet that FISMA will influence those laws. If you don’t have a data security strategy in place, you need to get planning now.

A Varonis Risk Assessment is a great place to start your FISMA compliance journey. Varonis will highlight risks on sensitive data, monitor your data (one of the FISMA requirements) for potential cyberattacks, and more.

Begin your FISMA compliance journey with a free Varonis Risk Assessment.


What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Try Varonis free.
Get a detailed data risk report based on your company’s data.
Deploys in minutes.
Keep reading
Meta's $1.3B Fine: What can Happen if you Don’t Monitor Your PII
Continuous discovery and data monitoring critical to identify misplaced PII.
HIPAA Compliance: Your Complete 2023 Checklist
Is your organization ready to comply with 2023 HIPAA updates and changes? Ensure HIPAA compliance with your comprehensive 2023 checklist.
Australian Privacy Act 2022 Updates
A series of stunning data breaches in 2022 has prompted lawmakers to begin making changes to the 1988 Australian Privacy Act in the form of the new Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022.
The 12 PCI DSS Requirements: 4.0 Compliance Checklist
Version 4.0 of the Payment Card Industry Data Security Standard (PCI DSS) is right around the corner. Prepare with our PCI DSS compliance checklist.