Eastern Michigan University

Federal Information Security Management Act

The Federal Information Security Management Act (FISMA) is United States legislation that defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats. FISMA requirements are most often passed along to the university as conditions of grants or contracts with federal agencies that report to the executive branch. To the extent that contractor, state, or grantee systems process, store, or house Federal Government information (for which the agency continues to be responsible for maintaining control), their security controls must be assessed against the same National Institute of Standard and Technology (NIST) criteria and standards as if they were a government-owned or operated system.


NIST defines nine steps to FISMA compliance :

  1. Categorize the information to be protected
  2. Select minimum baseline controls
  3. Refine controls using a risk assessment procedure
  4. Document the controls in the system security plan
  5. Implement security controls in appropriate information systems
  6. Assess the effectiveness of the security controls once they have been implemented
  7. Determine agency-level risk to the mission or business case
  8. Authorize the information system for processing
  9. Monitor the security controls on a continuous basis
 Additional Resources
 Using Federal Information Security Management Act

The permitted (Yes), the not permitted (No), and those needing to contact I.T. (Contact I.T.) are listed in three columns in the matrix below.

 YES                 NO                
        CONTACT I.T.        
Note: Don't see what you need? Email the I.T. Security Team at it-security@emich.edu.