The Federal Information Security Management Act (FISMA) of 2002, enacted as Title III of another law, requires each federal agency to develop, document, and implement a program to provide information security to all information systems supporting that agency. It mandates FIPS 200 (basic security requirements) and uses
NIST Special Publication 800-53 controls to evaluate information systems.
Categorize the information to protect using FIPS 199 categories.
Select the minimum baseline controls for each category.
Refine with risk assessment procedures.
Document the controls in a system security plan.
Implement the controls for appropriate information systems.
Assess the effectiveness once the controls have been implemented.
Determine the agency level of risk to mission or business cases.
Authorize system for processing.
Monitor controls continuously.
The system security plans must follow
NIST SP 800-18. FISMA assigns specific responsibilities to certain federal agencies to follow up and monitor compliance.