Federal Information Security Management Act of 2002

Title III of the E-Government Act of 2002, the Federal Information Security Management Act of 2002 ("FISMA"), requires federal government agencies to provide information security protections for agency information and information systems.

Agencies are required to develop, document, and implement an agency wide information security program “providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of (i) information collected or maintained by or on behalf of the agency; and (ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency.”

The agency’s information security plan also must include procedures for detecting, reporting, and responding to security incidents, including mitigating risks associated with such incidents before substantial damage is done; notifying and consulting with the Federal information security incident center and with law enforcement agencies and relevant Offices of Inspector General.

FISMA requires agencies to comply with the information security standards developed by NIST. FISMA also requires agencies to conduct, annually, an independent evaluation of their security programs which includes an assessment of the effectiveness of the program, plans, and practices and compliance with FISMA requirements. The evaluations are forwarded to the Director of the Office of Management and Budget, for an annual report to Congress.