What It Is

Federal Information Security Modernization Act (FISMA) of 2014 is a U.S. federal law establishing a risk-based framework for protecting federal information and systems. It modernizes the 2002 act, emphasizing continuous monitoring, incident reporting, and NIST Risk Management Framework (RMF) for agency-wide security programs protecting confidentiality, integrity, and availability.

Key Components

• NIST RMF 7 steps: Prepare, Categorize (FIPS 199), Select/Implement/Assess (SP 800-53), Authorize, Monitor.
• Controls from NIST SP 800-53 (20 families), baselines in SP 800-53B.
• Core elements: System Security Plans (SSPs), Plans of Action and Milestones (POA&Ms), Authorizations to Operate (ATOs).
• Oversight via OMB, DHS/CISA, Inspectors General with maturity metrics aligned to NIST Cybersecurity Framework.

Why Organizations Use It

Federal agencies and contractors must comply to avoid penalties, loss of funding, debarment. Provides risk reduction, resilience, market access (e.g., FedRAMP), operational efficiency, and executive risk decisions.

Implementation Overview

Phased RMF approach: governance/inventory, categorize/select controls, implement/assess/authorize, continuous monitoring. Applies to executive branch agencies, contractors; requires annual IG audits, no central certification but ATOs per system. Scalable for large agencies/small contractors.

What It Is

FedRAMP (Federal Risk and Authorization Management Program) is a U.S. government-wide framework standardizing security assessment, authorization, and continuous monitoring for cloud services used by federal agencies. Its primary purpose is enabling "assess once, use many times" to reduce duplication, based on a risk-based approach using NIST SP 800-53 Rev 5 controls mapped to FIPS 199 impact levels (Low, Moderate, High).

Key Components

• **Baselines~156 (Low), ~323 (Moderate), ~410 (High) controls, plus LI-SaaS tailored baseline.
• Core artifacts: System Security Plan (SSP), Security Assessment Report (SAR), Plan of Actions & Milestones (POA&M).
• Built on NIST standards; requires independent 3PAO assessments.
• Compliance model: Authorization paths via Agency or Program ATOs, with ongoing continuous monitoring.

Why Organizations Use It

• Unlocks federal contracts (e.g., $20M+ opportunities) and CMMC compliance.
• Demonstrates robust security for commercial clients.
• Reduces risk via standardized controls and reusability.
• Builds stakeholder trust through Marketplace visibility.

Implementation Overview

• Phased process: Preparation, assessment, authorization, monitoring (12-18 months typical).
• Key activities: Gap analysis, SSP development, 3PAO audits.
• Applies to CSPs targeting U.S. federal market; high complexity for all sizes.