What It Is

Federal Information Security Modernization Act (FISMA) of 2014 is a U.S. federal law establishing a risk-based framework for protecting federal information systems. It mandates agency-wide information security programs using **NIST Risk Management Framework (RMF)Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor.

Key Components

• Integrates NIST SP 800-53 controls (20 families) tailored by FIPS 199 impact levels.
• Emphasizes continuous monitoring, incident reporting, and POA&Ms.
• Oversight by OMB, DHS/CISA, IGs with annual metrics and maturity models.
• Compliance via ATO decisions and independent assessments.

Why Organizations Use It

Federal agencies and contractors must comply to avoid penalties, debarment, and funding loss. It reduces breach risks, enables federal contracts, builds stakeholder trust, and aligns cybersecurity with missions for resilience and efficiency.

Implementation Overview

Phased RMF lifecycle with governance, inventory, controls, assessments. Applies to agencies, contractors handling federal data; suits all sizes via scalability. Requires ongoing audits, no formal certification but IG evaluations.

What It Is

C-TPAT (Customs Trade Partnership Against Terrorism) is a voluntary public-private partnership led by U.S. Customs and Border Protection (CBP). Its primary purpose is securing international supply chains against terrorism and criminal threats through a risk-based trusted trader model. Scope covers importers, carriers, brokers, and manufacturers handling U.S. trade.

Key Components

• 12 Minimum Security Criteria (MSC) domains: risk assessment, business partners, cybersecurity, physical access, personnel security, conveyance/seal security, procedural/agricultural security, and training.
• Built on governance, self-assessment, and CBP validation; tiered benefits (Tier 1-3) via Security Profile and revalidation.
• Compliance via portal submission, internal audits, and CBP validations (every 4 years).

Why Organizations Use It

• **Trade facilitationreduced inspections, FAST lanes, priority processing.
• **Risk mitigationlayered security enhances resilience.
• Builds stakeholder trust, meets partner requirements, supports MRAs globally.

Implementation Overview

• **Phased approachgap analysis, policy development, training, partner vetting, evidence collection.
• Applies to trade entities of all sizes; global supply chains.
• CBP validation required for full benefits; internal self-assessments ongoing.