What is the primary objective of **FISMA**?

**FISMA's primary objective is to provide a comprehensive framework for federal agencies to develop, document, implement, and maintain risk-based information security programs protecting federal information and systems.** Enacted in 2002 and modernized in 2014, it mandates protections for confidentiality, integrity, and availability using NIST's Risk Management Framework (RMF) in SP 800-37, including the 7 steps: Prepare, Categorize (FIPS 199), Select (SP 800-53), Implement, Assess, Authorize, and Monitor. Oversight involves OMB for policy, DHS/CISA for operations, and annual IG evaluations.

Who is legally or professionally required to comply with **FISMA**?

**FISMA requires compliance from all federal executive branch civilian agencies and contractors operating or processing federal information systems.** This includes federal contractors, cloud providers (via FedRAMP), systems integrators, and state/local entities administering federal programs like Medicaid when handling federal data. Excludes national security systems. CISOs, CIOs, AOs, and SAOPs bear direct responsibilities; non-compliance cascades via contracts.

Does **FISMA** require an external audit or third-party certification?

**FISMA does not mandate third-party certification but requires annual independent evaluations by agency Inspectors General (IGs) or designees.** IGs assess using CISA metrics aligned to NIST CSF functions, assigning maturity levels (1 Ad Hoc to 5 Optimized). Contractors face agency-driven assessments; FedRAMP provides standardized third-party assessments for cloud. Evidence includes SARs and POA&Ms.

How often should an assessment for **FISMA** be performed?

**FISMA requires annual IG independent evaluations and ongoing continuous monitoring per NIST SP 800-137.** Agencies submit CIO/IG/SAOP reports yearly to OMB via CyberScope by July 31. RMF Monitor step mandates continuous diagnostics (e.g., via CDM), with risk assessments updated per changes, vulnerabilities, or incidents. Major incidents trigger real-time reporting to CISA/Congress within 30 days.

What are the consequences of non-compliance with **FISMA**?

**FISMA non-compliance results in unfavorable IG reports, OMB remediation directives, reduced funding, contract loss, and debarment for contractors.** Agencies face operational constraints, mission degradation, GAO scrutiny, and public exposure. Contractors risk termination, False Claims Act penalties up to $100,000/violation, and DCSA suspension. Persistent failures, like HHS's "Not Effective" ratings, escalate to Congressional oversight.

Can **FISMA** be mapped to other international frameworks?

**FISMA cannot be directly mapped to other international frameworks in this standalone context.** It is a U.S.-specific statute mandating NIST RMF/SP 800-53 for federal civilian systems. Agencies focus exclusively on FISMA/NIST alignment for compliance; mappings are internal to federal risk management.

What is the first step to begin implementing **FISMA**?

**The first step in FISMA implementation is the RMF Prepare phase: establish governance, roles (CIO/CISO/AO/SAOP), risk strategy, and system inventory.** Develop a security program charter, CMDB for assets, and RACI matrix. Executive sponsorship ensures alignment with mission risk tolerance before Categorize (FIPS 199).

What is the primary objective of **EN 1090**?

**EN 1090 ensures controlled execution and conformity assessment of structural steel and aluminium components for CE marking under the Construction Products Regulation (CPR).** It comprises **EN 1090-1** (conformity assessment via Factory Production Control, FPC), **EN 1090-2** (steel execution requirements like welding, tolerances, and inspection), and **EN 1090-3** (aluminium execution). Risk-based **Execution Classes (EXC1–EXC4)** scale controls for consequence class (CC1–CC3), service category (SC1–SC2), and production category (PC1–PC2), enabling lawful market placement in the EEA.

Who is legally or professionally required to comply with **EN 1090**?

**Manufacturers of load-bearing steel and aluminium structural components and kits for permanent incorporation in construction works must comply with EN 1090 to affix CE marking.** This includes fabricators supplying to EU/EEA markets, such as those producing beams, trusses, or assemblies for buildings, bridges, and industrial structures. Compliance via certified FPC is mandatory under CPR for market access; non-structural or non-metallic elements are excluded.

Does **EN 1090** require an external audit or third-party certification?

**Yes, EN 1090-1 mandates certification of the Factory Production Control (FPC) system by a notified body under AVCP systems 2+.** This involves initial inspection, technical documentation review (including ITT/ITC), certificate issuance, and continuous surveillance audits. Notified bodies like TÜV SÜD or DNV verify FPC operational effectiveness for declared Execution Classes.

How often should an assessment for **EN 1090** be performed?

**EN 1090 requires initial certification followed by ongoing surveillance audits by the notified body, typically annually.** Frequency aligns with EN 1090-1 Table B.3, scaled by Execution Class (higher EXC like 3/4 demand more rigor) and prior performance. Manufacturers must conduct internal audits continuously, notifying the notified body of changes affecting FPC.

What are the consequences of non-compliance with **EN 1090**?

**Non-compliance with EN 1090 prevents lawful CE marking, risking market exclusion, product withdrawal, and certificate suspension by notified bodies.** Under CPR, it exposes manufacturers to fines, recalls, civil liability for failures, and public reporting of suspensions (e.g., per Intertek rules). Major non-conformities in FPC, welding, or traceability trigger additional audits and potential enforcement by national authorities.

Can **EN 1090** be mapped to other international frameworks?

**No, EN 1090 FAQs must stand alone without referencing other frameworks.** It is a self-contained harmonized standard under CPR, with internal alignments like ISO 3834 for welding quality (EXC-dependent levels) embedded in its requirements.

What is the first step to begin implementing **EN 1090**?

**The first step is to perform a product scope assessment and determine Execution Classes (EXC1–EXC4) based on consequence, service, and production categories.** Classify products conservatively (default EXC2 if unspecified), then conduct a gap analysis of current FPC against EN 1090-1, prioritizing welding coordination and traceability.

FISMA vs EN 1090

Standards Comparison

FISMA

Mandatory

2014

U.S. federal law mandating risk-based cybersecurity programs

EN 1090

Mandatory

2009

EU standard for steel and aluminium structural execution.

Quick Verdict

FISMA mandates risk-based cybersecurity for US federal systems via NIST RMF, ensuring compliance and resilience. EN 1090 requires CE-marked structural steel/aluminium via FPC, guaranteeing execution quality. Agencies/contractors adopt FISMA for mandates; fabricators use EN 1090 for EU market access.

Cybersecurity

FISMA

Federal Information Security Modernization Act of 2014

Cost

€€€€

Complexity

Medium

Implementation Time

18-24 months

Key Features

Mandates NIST Risk Management Framework (RMF)
Requires continuous monitoring and diagnostics
Enforces risk-based system categorization (FIPS 199)
Applies to agencies, contractors, and supply chains
Demands annual IG assessments and OMB reporting

Structural Metalwork

EN 1090

EN 1090 Execution of steel and aluminium structures

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Risk-based Execution Classes EXC1-4
Factory Production Control FPC certification
CE marking via Notified Body audits
Welding quality management ISO 3834
Material traceability and NDT inspection

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

FISMA Details

What It Is

Federal Information Security Modernization Act (FISMA) of 2014 is a U.S. federal law establishing a risk-based framework for protecting federal information and systems. It modernizes the 2002 act, emphasizing continuous monitoring, incident reporting, and NIST standards for civilian executive branch agencies and contractors.

Key Components

NIST RMF 7-step process: Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor.
NIST SP 800-53 controls tailored by FIPS 199 impact levels.
Annual metrics, IG evaluations, OMB/DHS/CISA oversight.
Compliance via SSPs, POA&Ms, ATOs; no formal certification but independent audits.

Why Organizations Use It

Mandated for federal agencies/contractors handling federal data; reduces breach risks, enables market access, builds resilience. Strategic benefits include operational efficiency and competitive edge in federal procurement.

Implementation Overview

Phased RMF approach: governance/inventory, categorization/control selection, implementation/assessment, continuous monitoring. Applies to all federal sizes/industries; requires automation, training, supply chain oversight. Involves IG annual assessments.

EN 1090 Details

What It Is

EN 1090 is a harmonized European standard family for the execution of steel and aluminium structures. It provides technical requirements and conformity assessment under the EU Construction Products Regulation (CPR), enabling CE marking. Its risk-based approach uses Execution Classes (EXC1–EXC4) to scale requirements based on failure consequences, service conditions, and production complexity.

Key Components

**EN 1090-1Conformity assessment, Factory Production Control (FPC), Declaration of Performance (DoP).
**EN 1090-2/-3Technical rules for steel/aluminium (materials, welding, tolerances, corrosion protection, inspection/NDT).
Core principles: traceability, qualified welding (ISO 3834), risk-scaled controls.
Certification model: Notified Body audits FPC with ongoing surveillance.

Why Organizations Use It

Mandatory for CE marking and EU market access for structural components.
Reduces liability, ensures quality, enables high-risk projects.
Builds trust, differentiates in tenders, lowers rework via disciplined processes.

Implementation Overview

Phased: gap analysis, FPC development, personnel training, NB certification (3-12 months).
Applies to fabricators in construction; requires welding coordinators, digital traceability.
Involves audits, ITT/ITC, surveillance for manufacturers of load-bearing kits/components.

Key Differences

Aspect	FISMA	EN 1090
Scope	Federal information security and systems	Structural steel/aluminium components execution
Industry	US federal agencies, contractors, cloud providers	EU construction, steel/aluminium fabricators
Nature	US federal law, mandatory for agencies	EU harmonized standard, mandatory CE marking
Testing	Continuous monitoring, RMF assessments, IG audits	FPC certification, NB audits, surveillance
Penalties	Contract loss, debarment, IG reports	Market exclusion, fines, certificate suspension

Scope

FISMA

Federal information security and systems

EN 1090

Structural steel/aluminium components execution

Industry

FISMA

US federal agencies, contractors, cloud providers

EN 1090

EU construction, steel/aluminium fabricators

Nature

FISMA

US federal law, mandatory for agencies

EN 1090

EU harmonized standard, mandatory CE marking

Testing

FISMA

Continuous monitoring, RMF assessments, IG audits

EN 1090

FPC certification, NB audits, surveillance

Penalties

FISMA

Contract loss, debarment, IG reports

EN 1090

Market exclusion, fines, certificate suspension

Frequently Asked Questions

Common questions about FISMA and EN 1090

FISMA FAQ

EN 1090 FAQ

You Might also be Interested in These Articles...

CIS Controls v8.1 Metrics That Matter: KPIs, KRIs, and Dashboards for Board-Ready Cyber Reporting

Quantify CIS Controls v8.1 success with KPIs, KRIs & dashboards. Learn what to measure, calculations, and executive presentations linking security to business r

SOC 2 Audit Survival Guide: First 5 Steps to Ace Your Type 2 Audit with Infographic

Ace your SOC 2 Type 2 audit with the first 5 essential steps: evidence collection, auditor tips, red flags from SignWell's experience. Get checklists & infograp

Decoding Tomorrow's Regulations: How Advanced Compliance Tools Predict and Prepare for Future Shifts

Advanced compliance tools use AI, analytics & real-time monitoring to predict regulatory shifts, cut non-compliance costs 3x, and ensure audit readiness. Stay p

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Check out these other Gradum.io Standards Comparison Pages

COBIT vs NIST 800-53

Compare COBIT vs NIST 800-53: Governance framework meets security controls catalog. Optimize IT risk, compliance & value—tailor your best-fit strategy now!

ISO 9001 vs SOC 2

ISO 9001 vs SOC 2: Global QMS leader (1M+ certs, PDCA focus) vs security trust criteria for services. Uncover key diffs, benefits & choose for compliance success now.

ISO 37301 vs FedRAMP

ISO 37301 vs FedRAMP: Certifiable CMS standard meets US federal cloud security. Uncover key differences, benefits & integration for compliance success now!

FISMA

EN 1090

Quick Verdict

FISMA

Key Features

EN 1090

Key Features

Detailed Analysis

FISMA Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

EN 1090 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

FISMA FAQ

What is the primary objective of FISMA?

Who is legally or professionally required to comply with FISMA?

Does FISMA require an external audit or third-party certification?

How often should an assessment for FISMA be performed?

What are the consequences of non-compliance with FISMA?

Can FISMA be mapped to other international frameworks?

What is the first step to begin implementing FISMA?

EN 1090 FAQ

What is the primary objective of EN 1090?

Who is legally or professionally required to comply with EN 1090?

Does EN 1090 require an external audit or third-party certification?

How often should an assessment for EN 1090 be performed?

What are the consequences of non-compliance with EN 1090?

Can EN 1090 be mapped to other international frameworks?

What is the first step to begin implementing EN 1090?

You Might also be Interested in These Articles...

CIS Controls v8.1 Metrics That Matter: KPIs, KRIs, and Dashboards for Board-Ready Cyber Reporting

SOC 2 Audit Survival Guide: First 5 Steps to Ace Your Type 2 Audit with Infographic

Decoding Tomorrow's Regulations: How Advanced Compliance Tools Predict and Prepare for Future Shifts

Run Maturity Assessments with GRADUM

Check out these other Gradum.io Standards Comparison Pages

COBIT vs NIST 800-53

ISO 9001 vs SOC 2

ISO 37301 vs FedRAMP