This page provides an overview of the Federal Information Security Management Act (FISMA).

Grey Matter complies with FISMA.

The Federal Information Security Management Act (FISMA) of 2002, enacted as Title III of another law, requires each federal agency to develop, document, and implement a program to provide information security to all information systems supporting that agency. It mandates FIPS 200 (basic security requirements) and uses NIST Special Publication 800-53 controls to evaluate information systems.

Nine Steps to FISMA Compliance

  1. Categorize the information to protect using FIPS 199 categories.

  2. Select the minimum baseline controls for each category.

  3. Refine with risk assessment procedures.

  4. Document the controls in a system security plan.

  5. Implement the controls for appropriate information systems.

  6. Assess the effectiveness once the controls have been implemented.

  7. Determine the agency level of risk to mission or business cases.

  8. Authorize system for processing.

  9. Monitor controls continuously.

The system security plans must follow NIST SP 800-18. FISMA assigns specific responsibilities to certain federal agencies to follow up and monitor compliance.


Want to learn more about our compliance standards?

Contact us at