Federal Information Security Management Act (FISMA)

The Federal Information Security Management Act (FISMA – Public Law (P.L.) 107-347) requires federal agencies and those providing services on their behalf such as Universities to develop, document, and implement security programs for information technology systems and store the data on U.S. soil. This means that, under some federal contracts or grants, information the university collects or information systems that the university uses to process or store research or other data need to comply with FISMA.  Whether data is regulated by FISMA is typically called out in a Request for Proposal (RFP) or in contract or grant language. It is of utmost importance that researchers in conjunction with the Office of Grants and Contracts (OGC) proactively review and document grant and contract language closely to identify FISMA or other information security requirements.  A log or list of grants and contracts containing FISMA or other security requirements such as those referencing DFARs (NIST Special Publication 800-171) will help to ensure compliance.
Examples of research work at NMSU that might be regulated by FISMA include research in which funding is provided by federal organizations such as:
  • Department of Defense
  • National Institutes of Health
  • NASA
  • Department of Veterans Affairs, etc.

Complying with FISMA at NMSU – 15.62 – Protection of Federal Information; FISMA Compliance

Compliance with FISMA is mandatory, failure after an award has been accepted could lead to contract termination and revocation of funds. In addition to monetary penalties, failure to pass a FISMA inspection can result in unfavorable publicity, increased oversight, criminal penalties and failure for the university to acquire future funds.

Policies and Procedures

Each NMSU Office or Researcher (Principal Investigator (PI)) handling FISMA protected data or having an award, grant or contract containing information security stipulations such as those being required by DFARs, etc. should develop procedures detailing the conduct of its operations and align its operations to NMSU’s updated 15.62 – Protection of Federal Information; FISMA Compliance Administrative Rule and Procedure (ARP).  Part of the procedures should include a documented system security plan to ensure the implementation of required physical, administrative and technical safeguards as required by the contract or grant agreement.

Resources from Federal Agencies and NIST

FISMA is administered by the Department of Homeland Security. Changes and updates can be found at https://www.dhs.gov/fisma.

Individual contracts may identify additional controls, but the following core publications from the National Institute of Standards and Technology (NIST) should be reviewed and considered in relation to FISMA compliance:

·         Federal Information Processing Standards (FIPS) 199

·         Federal Information Processing Standards (FIPS) 200

·         NIST Special Publication 800-53 Revision 4

·         NIST Special Publication 800-59

·         NIST Special Publication 800-60

·         NIST Special Publication 800-37

·         NIST Special Publication 800-39

·         NIST Special Publication 800-171

The National Institute of Standards and Technology (NIST) is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems to further its statutory responsibilities under the Federal Information Security Management Act (FISMA) Public Law (P.L.) 107-347.  It should be noted that the handling of classified information is consistent and matured across federal agencies, but that is not the case for Controlled Unclassified Information (CUI) and therefore Executive Order 13556 requires federal agencies and those providing services on their behalf to establish a CUI program to consistently manage, handle and protect all controlled unclassified information (CUI).

The National Archives and Records Administration (NARA) was designated as the federal agent to implement, oversee and ensure compliance. The Information Security Oversight Office is a component of NARA and directly oversee compliance and offers guidance and resources and has identify the security requirements in NIST SP 800-171 as a way to ensure compliance.  Executive Order 13556 became effective November 16, 2016 and NARA has given federal agencies two years to fully implement a CUI program (refer to the visual below depicting the timeline as provided by NARA and Day 0 is November 16, 2016).  It should be noted that NMSU has already seen the inclusion of NIST SP 800-171 requirements in awarded grants & contracts.

CUI Program at NMSU

NMSU is in the process of holistically reviewing, analyzing and assessing its impact to current NMSU systems and data as well as in the process of revising policies and procedures.  For more information regarding the progress of implementing the CUI program at NMSU contact NMSU’s IT Compliance Officer at 575-646-5902.

Roles & Responsibilities and Reporting FISMA violations

NMSU designated the Information Technology Compliance Officer as the Chief Privacy Officer (CPO) to coordinate FISMA compliance at all NMSU campuses. Further, the CPO is responsible to interpret FISMA defined information, for the guidance of information security policies, the evaluation of existing information security policies, proposal of new information security policies, or recommendation for changes to existing policies for NMSU.  The CPO is the point of contact for security violations and/or suspicious activity, and the subject matter expert on activities under FISMA’s purview.

For more information contact:

Carlos S. Lobato, CPA
Chief Privacy Officer