Please see OSP FAQs and UAB IT Compliance FAQs for more information regarding FISMA.
What is FISMA?
FISMA is the Federal Information Security Management Act of 2002, [44 U.S.C., Sec. 3541 et seq]. FISMA was enacted as Title III of the E-Government act of 2002 (Public Law 107-347, Volume 116 Statutes, page 2899-2970, H.R. 2458). The bill requires that federal agencies provide information security, including those services provided by contractors or other sources. FISMA assigns responsibilities to National Institute of Standards & Technology (NIST) to provide standards and guidance to aid agencies in meeting the requirements of the law.
Does FISMA apply to my grant or contract?
FISMA requirements for the security of information and information systems apply if they were described in the RFA or the terms/conditions of the award. The grant/contract usually specifies the overall risk level (Low, Moderate, or High).
What are these requirements intended to do?
The requirements are intended to ensure confidentiality, integrity, and availability of data. Read more here.
- Confidentiality – Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
- Integrity – Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.
- Availability – Ensuring timely and reliable access to and use of information.
[44 U.S.C., Sec. 3541 et seq.]
What is the regulatory basis for such requirements?
“Each federal agency shall develop, document, and implement an agency-wide information security program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source…”
Federal Information Security Management Act of 2002: Title III of the e-Government Act of 2002
What do I have to do to comply with FISMA requirements?
Compliance requires a coordinated effort by the PI/research team and IT personnel. Specific requirements will be influenced by the risk level, the kind of work being performed, and kind of data. In general, it requires developing and submitting a FISMA Management Plan for approval by the sponsor and then ongoing plan evaluation, refinement, and reporting. The Plan must follow the 6-step risk management framework described in NIST Special Publication 800-37.
Your FISMA Management Plan should include:
Component | Description |
---|---|
Scope of Work | Identification and description of the work (including that to be performed by any subcontractors), internal and external sources of data, systems for data processing and storage, all hardware and software to be used for the project, personnel involved, facilities, configuration controls, etc. |
Implementation of Controls | In addition to the controls normally associated with computer use, FISMA requirements include such things as personnel background checks, surveillance cameras, disaster recovery plans, system backups, training, use of dedicated computers, encryption of data lines, workstation restrictions, security monitoring, physical access controls to work areas, etc. |
Evaluation of Controls | Verification that the appropriate security controls / events are monitored, generated and recorded, verifying data restoration procedures, validating performance of surveillance cameras, access log review, etc. |
So what does this REALLY mean to me and my research team?
Depending on the Management Plan –
- Additional study costs, in some cases significant, especially when an offsite, commercial third-party FISMA-compliant data processing/storage facility is used or extraordinary data process is needed.
- Additional work load due to added security requirement conformance and monitoring.
- Possible project start-up delays due to creation and approval of the Management Plan.
What is UAB doing to help?
UAB IT is providing consultation for investigators accepting awards with such terms/conditions. Options are being considered for developing a central, on-campus FISMA-compliant data processing/ storage facility. Expertise in the continuing system audit function is being developed.
Who should I contact for more information?
Bob Cloud
Enterprise Infrastructure Services
Important Links
UAB Information Disclosure and Confidentiality Policy