The Federal Information Security Management Act (FISMA)
Covered Entities: Government Agencies and Contractors
Governed by the Department of Homeland Security
The Federal Information Security Management Act (FISMA) is a landmark piece of federal legislation that was enacted under the E-Government Act of 2002 in order to acknowledge the growing importance of information security to all interests of the United States, including but not limited to political, economic, military, and financial. FISMA requires all federal government agencies to develop processes that provide information security and documentation for any and all data systems that support these agencies. The act is designed to increase the security of government information and establish a “risk-based policy for cost-effective security.”
FISMA is expansive and covers all government agencies; all state agencies that support the federal government (such as Medicare); and all third-party vendors and subcontractors that work with government agencies. Key requirements of FISMA include categorization, maintenance, and security of IT system inventory and risks; an up-to-date information security plan; security controls and documentation following NIST SP 800-53; and conducting risk assessments according to NIST SP 800-30 guidelines.
FISMA also mandates disposition of end-of-life information following NIST 800-88 data disposal requirements. All of SEM’s high security paper shredders, disintegrators, IT shredders, IT crushers, and degaussers are appropriate for the disposal of FISMA covered data following NIST 800-88 protocols.