University of Wisconsin–Madison

Federal Information Security Management Act (FISMA)

What Is FISMA?

FISMA is the Federal Information Security Management Act of 2002. It was passed as Title III of the E-Government Act (Public Law 107-347) in December 2002. FISMA requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

How does FISMA affect the mission of the university?

FISMA requirements are most often passed along to the university as conditions of grants or contracts with federal agencies that report to the executive branch. At the federal level the Office of Management and Budget (OMB) enforces these requirements as conditions of the agency receiving funds. The agencies then enforce the terms of the contract or grant. In fiscal year 2011 the university received $661.6 million dollars from federal grants and contracts.

What does the OMB have to say about how federal agencies apply FISMA to a contracting or grant receiving entity such as the UW?

The following statement from OMB Memorandum M-11-33 (PDF) outlines the general requirement:

To the extent that contractor, state, or grantee systems process, store, or house Federal Government information (for which the agency continues to be responsible for maintaining control), their security controls must be assessed against the same NIST criteria and standards as if they were a government-owned or operated system. The security authorization boundary for these systems must be carefully mapped to ensure that Federal information: (a) is adequately protected, (b) is segregated from the contractor, state or grantee corporate infrastructure, and (c) there is an interconnection security agreement in place to address connections from the contractor, state or grantee system containing the agency information to systems external to the security authorization boundary.

Where are the NIST criteria documented?

The NIST publications related to FISMA can be found at the  National Institute of Standards and Technology (NIST).

Is there an organization on campus that can help us with FISMA compliance?

Office of Cybersecurity provides information security consulting to campus departments. Please contact Office of Cybersecurity if you would like assistance.