Risk Management Framework


The Federal Information Security Modernization Act, or FISMA governs how the Department of Homeland Security (DHS) administers information security policies for US Government Executive Branch agencies.

Framework Summary

FISMA was first codified in 2002, and has been updated nearly every year since in order to keep pace with an ever-changing cybersecurity landscape. FISMA compliance is evaluated on different system categorization levels (Low, Moderate, High) as determined by the Standards for Security Categorization of Federal Information and Information Systems (FIPS-199).

Once a system categorization is determined, organizations implement the appropriate controls detailed in NIST 800-53.

The FISMA compliance process is relatively straightforward, but typically it is quite difficult to fully achieve given its level of depth.

  1. Inventories - Identifying and organizing all information systems, detailing how they're used, and interconnected.
  2. Categorization - All information must be categorized according to the risk level to ensure that information is protected appropriately.
  3. System Security Plan (SSP) - This is a well-maintained document that details process and procedures.
  4. Controls - NIST 800-53 contains hundreds of security controls that must be implemented and documented.
  5. Assessments - Detailed assessments to determine risks to the business/team, business processes, and information systems must be regularly completed.
  6. C&A - Once certified as compliant, teams must prepare for annual reviews to ensure ongoing compliance.

Free Discovery Session

Have a quick question?
Email us: cybersecurity@mindpointgroup.com
Give us a call: (703) 636-2033 Option 2