What is FISMA?
FISMA stands for the Federal Information Security Management Act.
FISMA is a federal law that requires specific security controls for information systems that process, transmit, or store federal data. This mandate covers government agencies and contracting agents or grantees that work on behalf of these government entities. As a major research institution, UAB is awarded such contracts or grants and, as a result, its researchers can fall under the FISMA umbrella. Because it is a federal law, FISMA compliance is mandatory and, when called upon to do so, UAB researchers must meet the minimum security controls prescribed by FISMA if the federal contract or grant specifies that the researcher must meet those FISMA requirements.
Does FISMA apply to my research?
When evaluating a new research effort or preparing to renew an ongoing effort, start by discovering whether FISMA-specific language is included in the terms of the federal contract or grant. Such FISMA-specific language often appears in the special contract requirements or security requirements sections of those documents. Look for references such as the following:
- IT Security Plan or System Security Plan (IT-SP or SSP)
- IT Risk Assessment (IT-RA or RA)
- FIPS 199 and FIPS 200 Standards
- NIST Special Publications (SP) 800-26, 800-30, 800-37, and/or 800-53
- Federal Information Security Management Act
If you find references to one or more of these topics, your research project might require FISMA compliance. FISMA compliance is required if federal data is being stored, processed, and/or transmitted by a contractor/grantee. If your research project does not store, process and/or transmit federally owned data, you likely will not be required to meet FISMA information security requirements even if your contract/grant includes FISMA-specific language.
If you discover FISMA requirements in your contract or grant reach out to your primary contact at the sponsoring government agency tied to the contact or grant. Ask them for clarification regarding how the FISMA language should be interpreted.
FISMA is NOT required
Even if FISMA is not required, your research project must still follow all federal laws and UAB policies, standards, and rules related to information security and the protection of UAB-owned resources and data.
FISMA is required
You have identified that FISMA compliance is required for your research. Now what? Creating a FISMA-compliant environment requires a large amount of documentation that needs to be created and maintained. However, there are solutions that can be developed by leveraging UAB resources and/or third-party service providers.
Common Strategies
- The solo approach:
The organization itself creates all of the documentation, designs and builds the controls and the information system, and conducts the continuous monitoring activities itself. - The hybrid approach:
The organization itself creates all of the documentation, designs and builds the controls and the information system that are specific to its mission. The organization then secures a third-party to host the information system and provide additional controls. Any third-party cloud provider must be approved in advance by UAB’s Vice President for Information Technology.
UAB IT resources
- Compliance Handbook:
We have developed a FISMA Compliance Handbook for UAB Researchers and Support Staff. - SSP templates
Templates were developed to aid researchers in meeting their FISMA requirements. These templates can be used as a model to speed up the process of developing an SSP but information related to your specific project will be required.
Refer to our Risk Management page and be sure to follow the guidelines there as you begin the process of FISMA compliance. If you need additional assistance, please submit a ticket.
Checklist of required documents
- System Security Plan
- Security Assessment Report
- Plan of Action and Milestones
Primary Standards
- Access Control Standard and Procedures
- Awareness and Training Standard and Procedures
- Audit and Accountability Standard and Procedures
- Security Assessment and Authorization Standard and Procedures
- Configuration Management Standard and Procedures
- Contingency Planning Standard and Procedures
- Identification and Authentication Standardand Procedures
- Incident Response Standard and Procedures
- System and Information Integrity Standard and Procedures
- Maintenance Standard and Procedures
- Media Protection Standard and Procedures
- Physical and Environmental Standard and Procedures
- Planning Standard and Procedures
- Personnel Security Standard and Procedures
- Risk Assessment Standard and Procedures
- System and Services Acquisition Standardand Procedures
- System and Communications Protection Standard and Procedures
Supporting Documentation
- FIPS 199 and 200 Assessments
- ISSO Appointment Letter
- Configuration Control Board (CCB) Charter
- CCB Minutes Template
- Change Request Form Template
- Security Impact Analysis Template
- Network Diagram
- Data Flow Diagram
- Media Transport/Destruction Form
- Rules of Behavior for Users
- Risk Assessment and Business Impact Analysis
- System Interconnection Agreement Template
- List of Approved System Interconnections
- System Inventory List
- List of Approved Hardware
- List of Approved Software
- List of Approved Ports, Protocols and Services
- List of Approved Vendors
- List of Approved Users
- ATO Request Letter