What is FISMA Compliance? Regulations and Requirements

FISMA is the federal government’s security requirements. If you work for on with a federal agency read on to learn how to get (and stay) compliant.
Michael Buckbee
3 min read
Last updated February 25, 2022

FISMA stands for the Federal Information Security Management Act, which the United States Congress passed in 2002: it requires federal agencies to implement information security plans to protect sensitive data.

FISMA compliance is data security guidance set by FISMA and the National Institute of Standards and Technology (NIST). NIST is responsible for maintaining and updating the compliance documents as directed by FISMA. More specifically, NIST:

Get the Free Essential Guide to US Data Protection Compliance and Regulations

  • Sets minimum requirements for information security plans and procedures.
  • Recommends types of security (systems, software, etc.) that agencies must implement and approves vendors.
  • Standardizes risk assessment process and sets varying standards of information security based on agency risk assessments. Each agency has different levels of security requirements: the National Security Agency and Housing and Urban Development, for instance, have different risk levels and therefore different security requirements.

Why was FISMA Created?

FISMA was created to require each federal agency to develop, document, and implement a complete information security plan to protect and support the operations of the agency. FISMA is one article in a larger piece of legislation called the E-Government Act, which recognizes the importance of information security to the economic and national interests of the United States.

Congress amended FISMA in 2014 in the Federal Information Security Modernization Act. The amended legislation provided several modifications to the original law that brought FISMA in line with current information security concerns. Agencies are now encouraged to use more continuous monitoring and focus on compliance than what was required in the previous legislation.

Who Needs to Follow FISMA Compliance?

Originally, FISMA only applied to federal agencies. Over time, the law has evolved to cover state agencies that manage federal programs (i.e., Medicare, Medicaid, unemployment insurance, etc.) as well as companies with contracts to work with federal agencies.

That means private sector companies that do business with federal agencies must adhere to the same information security guidelines as the federal agency.

How Do I Become FISMA Compliant?

To be FISMA compliant you need to information security controls across your organization based on the guidance from NIST. Several publications encompass the FISMA guidelines: a good place to start is NIST 800 – 53. You’ll also want to read up on NIST 800 – 171, FIPS 199, FIPS 200, and the other NIST 800 –xx documents.

In general, following the basic data security principles in the Varonis Operational Journey will help get you FISMA compliant (minus the physical space controls, of course).

FISMA requirements include the following:

  • Information System Inventory: FISMA requires every agency to maintain an inventory of all systems and their integrations in use.
  • Risk Categorization: FIPS 199 documents how an agency categorizes their risk and security requirements. Each agency is responsible for maintaining the highest level of security necessary per this document.
  • System Security Plan: FISMA requires that each agency have a security plan in place and a process to make sure the plan is updated regularly.
  • Security Controls: NIST 800-53 defines 20 security controls that each agency must implement to be FISMA compliant.
  • Risk Assessments: Any time an agency makes a change to their systems, they are required to perform a three tiered risk assessment using the Risk Management Framework (RMF).
  • Certification and Accreditation: FISMA requires each agency to conduct yearly security reviews. Agencies must demonstrate they can implement, maintain, and monitor systems to be FISMA compliant.

FISMA requirements

FedRAMP Program

The Federal Risk and Authorization Management Program (FedRAMP) is a new government program that standardizes how agencies can validate cloud-computing services for FISMA compliance. Agencies are looking to cloud-computing options for cost savings – and FedRAMP provides guidance on how to manage risk and validate the cloud services for use by federal agencies.

Any software vendor that wants to work with US government agencies should look into the FedRAMP authorization programs.

FISMA Compliance Benefits

Achieving FISMA compliance increases an agencies’ data security, protects citizens’ private data, and reduces IT related cost to the federal government.

Private sector companies in the current data security climate should implement FISMA compliant solutions for their own data security. Companies have to be FISMA compliant to work with federal agencies, and they get the added benefit of protecting their data from breaches.

Penalties for FISMA Compliance Violations

The loss of federal funding is one of the biggest potential penalties for FISMA compliance violations. For an agency that could be detrimental, but if you are a federal contractor that could be the end of your company.

Other non-monetary penalties could be a loss of reputation due to data breaches and bad press – or even missing out on future federal project bid opportunities. If you depend on federal funds for your company’s ongoing revenue, you need to be FISMA compliant.

FISMA Compliance Best Practices

  • Implement a comprehensive data security plan to classify data, monitor activity, and detect threats to your sensitive data.
  • Stay current with any changes to the FISMA standards.
  • Keep documentation of your FISMA compliance efforts.
  • Encrypt everything: data encryption is a FISMA requirement.

FISMA compliance best practices

Any organization – regardless of federal government involvement – will benefit from a FISMA compliance program. The EU passed GDPR, and there is new legislation in Congress today that redefines PII, and requires annual data risk reports. Privacy and data protection laws are coming to the United States, and it’s a good bet that FISMA will influence those laws. If you don’t have a data security strategy in place, you need to get planning now.

A Varonis Risk Assessment is a great place to start your FISMA compliance journey. Varonis will highlight risks on sensitive data, monitor your data (one of the FISMA requirements) for potential cyberattacks, and more.

Begin your FISMA compliance journey with a free Varonis Risk Assessment.


What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:


Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.


See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.


Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

Government Community Cloud: Primer on GCC High, GCC and DOD
Internal federal teams -- as well as external contractors -- need to secure sensitive data in the cloud. Enter the Government Community Cloud (GCC).
How has Ransomware Impacted the US Government?
Ransomware crimes have been soaring this year. It has stalled the operations of not only hospitals and businesses, but also the US government – federal, state and local governments, law enforcement...
Understanding Canada: Ontario’s New Medical Breach Notification Provision (and Other Canadian Data Privacy Facts)
Remember Canada’s profusion of data privacy laws? The Personal Information Protection and Electronic Documents Act (PIPEDA) is the law that covers all commercial organizations across Canada. Canadian federal government agencies,...
How the MOVEit Vulnerability Impacts Federal Government Agencies
Our latest State of Cybercrime episode examines the MOVEit vulnerability and its impact on victims, including federal government agencies.