Federal Information Security Management Act (FISMA)
What is FISMA?
The Federal Information Security Management Act (FISMA) [FISMA 2002], part of the E-Government Act (Public Law 107-347), was passed in December 2002. FISMA 2002 requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other sources.
The Federal Information Security Modernization Act of 2014 amends FISMA 2002 by providing several modifications that modernize federal security practices to address evolving security concerns. These changes result in less overall reporting, strengthen the use of continuous monitoring in systems, and increase focus on the agencies for compliance and reporting that is more focused on the issues caused by security incidents. FISMA 2014 also required the Office of Management and Budget (OMB) to amend/revise OMB Circular A-130 to eliminate inefficient and wasteful reporting and reflect changes in law and technological advances.
FISMA, along with the Paperwork Reduction Act of 1995 and the Information Technology Management Reform Act of 1996 (Clinger-Cohen Act), explicitly emphasizes a risk-based policy for cost-effective security. In support of and reinforcing FISMA, the Office of Management and Budget (OMB), through Circular A-130, “Managing Federal Information as a Strategic Resource,” requires executive agencies within the federal government to:
Plan for security
Ensure that appropriate officials are assigned security responsibility
Periodically review the security controls in their systems
Authorize system processing before operations and periodically, thereafter
What does FISMA require?
Federal agencies need to provide information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of:
Information collected/maintained by or on behalf of an agency
Information systems are used or operated by an agency or a contractor of an agency or other organization on behalf of an agency.
Also, federal agencies must “com[ply] with the information security standards” guidelines and mandatory required standards developed by NIST.
To whom does FISMA apply?
Federal agencies, contractors, or other sources that provide information security for the information and information systems that support the operations and assets of the agency.
What is a Federal Information System?
As defined in FISMA 2002, "[t]he term ‘Federal information system’ means an information system used or operated by an executive agency, a contractor of an executive agency, or another organization on behalf of an executive agency."
Sage Bionetworks and FISMA
On March 7, 2023, “The RECOVER Cybersecurity Team has completed the review of the security documentation provided by Sage Bionetworks for the Synapse Platform system. Based on our review, we concur with the 3PAO’s recommendation for the system authorization. The Team attests that the authorization package provided by Sage Bionetworks provides a complete implementation and assessment of the applicable NIST SP 800-53 rev. 4 controls as stipulated in the compliance requirements prescribed by NHLBI and the RECOVER Cybersecurity Program. Evidence to verify the successful implementation of the various security controls has been validated by the 3PAO assessment.”
What platforms are FISMA compliant?
At this time, Synapse is the only FISMA-compliant platform.