Federal Information Security Modernization Act of 2014 (FISMA 2014)

Federal Information Security Modernization Act of 2014 (FISMA 2014)

The Federal Information Modernization Act of 2014 or FISMA 2014 for short is a federal law that was created to update the federal government’s cybersecurity policies and practices in order to address more modern security concerns. As an amendment of the Federal Information Security Management Act of 2002, FISMA 2014 requires all federal agencies to report the status of their information security programs to the Office of Management Budget or OMB. Moreover, FISMA 2014 also mandates that the Inspectors General conduct annual independent assessments of these federal information security programs.

Furthermore, the OMB in combination with the Department of Homeland Security or DHS are responsible for collaborating with interagency partners in order to develop and create FISMA metrics along with assistance from the Inspectors General , as well as a Chief Information Officer or CIO. Additionally, the OMB is charged with working with others within the Federal privacy community to develop metrics for the Senior Agency Official for Privacy or SAOP. Through the creation of these various metrics, the Federal government is afforded a modernized way of tracking and evaluating the cybersecurity practices of a particular government agency.

What are the FISMA compliance requirements?

FISMA created an information security framework that must be adhered to and followed by all federal agencies, including the legislative and executive branches, any businesses who may be in contracts with these government branches, as well as any state agencies who are administering or operating federal programs. This information security framework includes the following compliance requirements:

  • Information system inventory – All federal agencies and their associated contractors must take inventory of all information systems that are currently being used within their network.
  • Risk categorization- All information and information systems must be categorized in accordance with their potential risk in order to ensure that the most vulnerable and sensitive forms of data are given the appropriate level of protection.
  • System security plan – All federal agencies are required to both create and maintain a security plan that is continually updated to ensure effective and efficient security policies and controls over time.
  • Security Controls- Federal agencies are mandated to implement the minimum information system security controls as outlined by the National Institute of Standards of Technology or NIST. What’s more, these agencies must also specific controls from the NIST 800-53 catalog that correspond to with what is necessary for each system
  • Risk assessments – When a change is made to a federal agencies system, said agencies must then conduct risk assessments to establish whether their security controls are adequate or if the implementation of further controls is needed.
  • Certification and accreditation – The FISMA certification and accreditation process contains four different phases. These phases include initiation and planning, certification, accreditation, and continuous monitoring.

What are the consequences for non-compliance under FIMSA 2014?

The primary consequence for non-compliance under FISMA 2014 is the loss of federal contracts or funding, as well a censure on the part of congress. However, there are a variety of other consequences that can result from non-compliance of FISMA 2014 in the midst of our digital age. One of these consequences is reputational damage. As consumers continue to request further transparency from the companies and businesses they engage with, cybersecurity failures can also be associated with overall business failure.

To provide a non federal example of this potential reputational damage, online website Comparitech analyzed the stock market price impacts of 34 companies that either experienced or were directly affected by data breaches in 2021. Their observations resulted in the following key findings:

  • Market share prices of companies involved in a data breach hit a low point of 110 in the immediate days after said data breach.
  • -8.6% underperformance on NASDAQ after one year.
  • -11.3% underperformance on NASDAQ after two years.
  • -15.6% underperformance on NASDAQ after three years.

While the stock market is obviously not a metric that can be used to measure the impact of data breaches in the context of federal agencies, these metrics can show cybersecurity failures can impact the public perception of a particular company or business. In addition to reputational damage, federal agencies who fail to set up adequate cybersecurity measures in accordance with FISMA 2014 may also be forced to testify before congress, depending on the scope or severity of said cybersecurity failures. In the most severe data breach cases, federal contractors can also be censured from being awarded any further government funding or contracts.

As the role of cybersecurity continues to increase in importance due to new dangers that exist on the internet, it is fitting that the federal government updated their cybersecurity framework to match current cybersecurity threats. To this end, The FISMA 2014 provides American citizens with an improved level of protection in regards to the information that they may disclose to federal entities. As so many of our nation’s most critical business sectors depend on information technology systems to carry out their various operations and functions, the role of the FISMA 2014 and similar cybersecurity laws are made that much more relevant.