Federal Information Security Modernization Act of 2014 (FISMA 2014)

Federal Information Security Modernization Act of 2014 (FISMA 2014)

The Federal Information Modernization Act of 2014 or FISMA 2014 for short is a federal law that was created to update the federal government’s cybersecurity policies and practices in order to address more modern security concerns. As an amendment of the Federal Information Security Management Act of 2002, FISMA 2014 requires all federal agencies to report the status of their information security programs to the Office of Management Budget or OMB. Moreover, FISMA 2014 also mandates that the Inspectors General conduct annual independent assessments of these federal information security programs.

Furthermore, the OMB in combination with the Department of Homeland Security or DHS is responsible for collaborating with interagency partners in order to develop and create FISMA metrics along with assistance from the Inspectors General , as well as a Chief Information Officer or CIO. Additionally, the OMB is charged with working with others within the Federal privacy community to develop metrics for the Senior Agency Official for Privacy or SAOP. Through the creation of these various metrics, the Federal government is afforded a modernized way of tracking and evaluating the cybersecurity practices of a particular government agency.

What are the FISMA compliance requirements?

FISMA created an information security framework that must be adhered to and followed by all federal agencies, including the legislative and executive branches, any businesses who may be in contracts with these government branches, as well as any state agencies who are administering or operating federal programs. This information security framework includes the following compliance requirements:

What are the consequences of non-compliance under FIMSA 2014?

The primary consequence for non-compliance under FISMA 2014 is the loss of federal contracts or funding, as well as a censure on the part of congress. However, there are a variety of other consequences that can result from non-compliance with FISMA 2014 in the midst of our digital age. One of these consequences is reputational damage. As consumers continue to request further transparency from the companies and businesses they engage with, cybersecurity failures can also be associated with overall business failure.

To provide a nonfederal example of this potential reputational damage, the online website Comparitech analyzed the stock market price impacts of 34 companies that either experienced or were directly affected by data breaches in 2021. Their observations resulted in the following key findings:

While the stock market is obviously not a metric that can be used to measure the impact of data breaches in the context of federal agencies, these metrics can show cybersecurity failures can impact the public perception of a particular company or business. In addition to reputational damage, federal agencies that fail to set up adequate cybersecurity measures in accordance with FISMA 2014 may also be forced to testify before congress, depending on the scope or severity of said cybersecurity failures. In the most severe data breach cases, federal contractors can also be censured from being awarded any further government funding or contracts.

As the role of cybersecurity continues to increase in importance due to new dangers that exist on the internet, it is fitting that the federal government updated its cybersecurity framework to match current cybersecurity threats. To this end, The FISMA 2014 provides American citizens with an improved level of protection in regards to the information that they may disclose to federal entities. As so many of our nation’s most critical business sectors depend on information technology systems to carry out their various operations and functions, the role of the FISMA 2014 and similar cybersecurity laws are made that much more relevant.

Related Reads