The Federal Information Security Modernization Act (FISMA) was passed as part of the E-Government Act of 2002, creating requirements for cybersecurity of federal information systems, including hardware and software, both government-created and vendor-provided. It was further updated by the Federal Information Security Modernization Act of 2014.

FISMA requires all federal agencies to maintain an inventory of all systems. Agencies must further categorize those systems according to risk, and implement security controls based on this categorization. It further tasks OMB and each agency’s IG with overseeing the implementation of FISMA.

It also tasks the National Institute of Standards and Technology (NIST) to develop and maintain standards for cybersecurity practices. NIST also hosts the National Vulnerability Database.

One criticism of FISMA is that it focuses on a slow, laborious documentation process instead of a more reactive, agile approach to security. Another is that the oversight process as designed results in risk avoidance instead of risk management, disincentivizing experimentation or modernization.

Federal Information Security Modernization Act of 2014

FISMA was modified in 2014, establishing the role of the Department of Homeland Security (DHS) in implementing various cybersecurity requirements. The passing of the Cybersecurity and Infrastructure Security Agency (CISA) Act of 2018 established CISA within DHS, which would be responsible for these program areas, such as the Trusted Internet Connections (TIC) program, and the Continuous Diagnostics and Mitigation (CDM) program.