Federal Information Security Management Act (FISMA)
- Department of Defense
- National Institutes of Health
- Department of Veterans Affairs, etc.
Complying with FISMA at NMSU – 15.62 – Protection of Federal Information; FISMA Compliance
Compliance with FISMA is mandatory, failure after an award has been accepted could lead to contract termination and revocation of funds. In addition to monetary penalties, failure to pass a FISMA inspection can result in unfavorable publicity, increased oversight, criminal penalties and failure for the university to acquire future funds.
Policies and Procedures
Each NMSU Office or Researcher (Principal Investigator (PI)) handling FISMA protected data or having an award, grant or contract containing information security stipulations such as those being required by DFARs, etc. should develop procedures detailing the conduct of its operations and align its operations to NMSU’s updated 15.62 – Protection of Federal Information; FISMA Compliance Administrative Rule and Procedure (ARP). Part of the procedures should include a documented system security plan to ensure the implementation of required physical, administrative and technical safeguards as required by the contract or grant agreement.
Resources from Federal Agencies and NIST
FISMA is administered by the Department of Homeland Security. Changes and updates can be found at https://www.dhs.gov/fisma.
Individual contracts may identify additional controls, but the following core publications from the National Institute of Standards and Technology (NIST) should be reviewed and considered in relation to FISMA compliance:
The National Institute of Standards and Technology (NIST) is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems to further its statutory responsibilities under the Federal Information Security Management Act (FISMA) Public Law (P.L.) 107-347. It should be noted that the handling of classified information is consistent and matured across federal agencies, but that is not the case for Controlled Unclassified Information (CUI) and therefore Executive Order 13556 requires federal agencies and those providing services on their behalf to establish a CUI program to consistently manage, handle and protect all controlled unclassified information (CUI).
The National Archives and Records Administration (NARA) was designated as the federal agent to implement, oversee and ensure compliance. The Information Security Oversight Office is a component of NARA and directly oversee compliance and offers guidance and resources and has identify the security requirements in NIST SP 800-171 as a way to ensure compliance. Executive Order 13556 became effective November 16, 2016 and NARA has given federal agencies two years to fully implement a CUI program (refer to the visual below depicting the timeline as provided by NARA and Day 0 is November 16, 2016). It should be noted that NMSU has already seen the inclusion of NIST SP 800-171 requirements in awarded grants & contracts.
CUI Program at NMSU
NMSU is in the process of holistically reviewing, analyzing and assessing its impact to current NMSU systems and data as well as in the process of revising policies and procedures. For more information regarding the progress of implementing the CUI program at NMSU contact NMSU’s IT Compliance Officer at 575-646-5902.
Roles & Responsibilities and Reporting FISMA violations
NMSU designated the Information Technology Compliance Officer as the Chief Privacy Officer (CPO) to coordinate FISMA compliance at all NMSU campuses. Further, the CPO is responsible to interpret FISMA defined information, for the guidance of information security policies, the evaluation of existing information security policies, proposal of new information security policies, or recommendation for changes to existing policies for NMSU. The CPO is the point of contact for security violations and/or suspicious activity, and the subject matter expert on activities under FISMA’s purview.
For more information contact:
Carlos S. Lobato, CPA
Chief Privacy Officer