Federal Information Security Management Act

The Federal Information Security Management Act (FISMA) is United States legislation that defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats. FISMA requirements are most often passed along to the university as conditions of grants or contracts with federal agencies that report to the executive branch. To the extent that contractor, state, or grantee systems process, store, or house Federal Government information (for which the agency continues to be responsible for maintaining control), their security controls must be assessed against the same National Institute of Standard and Technology (NIST) criteria and standards as if they were a government-owned or operated system.


NIST defines nine steps to FISMA compliance:

  1. Categorize the information to be protected
  2. Select minimum baseline controls
  3. Refine controls using a risk assessment procedure
  4. Document the controls in the system security plan
  5. Implement security controls in appropriate information systems
  6. Assess the effectiveness of the security controls once they have been implemented
  7. Determine agency-level risk to the mission or business case
  8. Authorize the information system for processing
  9. Monitor the security controls on a continuous basis

Laws, Regulations and Policies

Additional Resources

Using Federal Information Security Management Act

The following are not permitted to using the Federal Information Security Management Act:

  • Banner
  • Bomgar
  • Canvas
  • Google Mail and Calendar
  • Google Drive
  • Goggle Talk, Sites and Tasks
  • Google (All Other Apps)
  • Personal Accounts
  • Personal Devices
  • Samanage
  • Shared Drive
  • U.achieve
  • Virtru Email
  • Virtru Secure Share

Don't see what you need? Email the I.T. Security Team at [email protected].

Skip Section Navigation