Federal Information Security Management Act (FISMA)

The Federal Information Security Management Act (FISMA – Public Law (P.L.) 107-347) requires federal agencies and those providing services on their behalf such as Universities to develop, document, and implement security programs for information technology systems and store the data on U.S. soil. This means that, under some federal contracts or grants, information the university collects or information systems that the university uses to process or store research or other data need to comply with FISMA.  Whether data is regulated by FISMA is typically called out in a Request for Proposal (RFP) or in contract or grant language. It is of utmost importance that researchers in conjunction with the Office of Grants and Contracts (OGC) proactively review and document grant and contract language closely to identify FISMA or other information security requirements.  A log or list of grants and contracts containing FISMA or other requirements will help to ensure compliance.
Examples of research work at NMSU that might be regulated by FISMA include research in which data is provided by federal organizations such as:
  • Department of Defense
  • National Institutes of Health
  • NASA
  • Department of Veterans Affairs

Complying with FISMA at NMSU

Compliance with FISMA is mandatory, failure after an award has been accepted could lead to contract termination and revocation of funds. In addition to monetary penalties, failure to pass a FISMA inspection can result in unfavorable publicity, increased oversight, criminal penalties and failure for the university to acquire future funds.

FISMA is administered by the Department of Homeland Security. Changes and updates can be found at https://www.dhs.gov/fisma.

Individual contracts may identify additional controls, but the following core publications from the National Institute of Standards and Technology (NIST) should be reviewed and considered in relation to FISMA compliance:

·         Federal Information Processing Standards (FIPS) 199

·         Federal Information Processing Standards (FIPS) 200

·         NIST Special Publication 800-53 Revision 4

·         NIST Special Publication 800-59

·         NIST Special Publication 800-60

·         NIST Special Publication 800-37

·         NIST Special Publication 800-39

·         NIST Special Publication 800-171

The National Institute of Standards and Technology (NIST) is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems to further its statutory responsibilities under the Federal Information Security Management Act (FISMA) Public Law (P.L.) 107-347.  It should be noted that the handling of classified information is consistent and matured across federal agencies, but that is not the case for Controlled Unclassified Information (CUI) and therefore Executive Order 13556 requires federal agencies and those providing services on their behalf to establish a CUI program to consistently manage, handle and protect all controlled unclassified information (CUI).

The National Archives and Records Administration (NARA) was designated as the federal agent to implement, oversee and ensure compliance. The Information Security Oversight Office is a component of NARA and directly oversee compliance and offers guidance and resources and has identify the security requirements in NIST SP 800-171 as a way to ensure compliance.  Executive Order 13556 became effective November 16, 2016 and NARA has given federal agencies two years to fully implement a CUI program (refer to the visual below depicting the timeline as provided by NARA and Day 0 is November 16, 2016).  It should be noted that NMSU has already seen the inclusion of NIST SP 800-171 requirements in awarded grants & contracts.

CUI Program at NMSU

NMSU is in the process of holistically reviewing, analyzing and assessing its impact to current NMSU systems and data as well as in the process of revising policies and procedures.  For more information regarding the progress of implementing the CUI program at NMSU contact NMSU’s IT Compliance Officer at 575-646-5902.