Federal Information Security Management Act (FISMA)
- Department of Defense
- National Institutes of Health
- Department of Veterans Affairs
Complying with FISMA at NMSU
Compliance with FISMA is mandatory, failure after an award has been accepted could lead to contract termination and revocation of funds. In addition to monetary penalties, failure to pass a FISMA inspection can result in unfavorable publicity, increased oversight, criminal penalties and failure for the university to acquire future funds.
FISMA is administered by the Department of Homeland Security. Changes and updates can be found at https://www.dhs.gov/fisma.
Individual contracts may identify additional controls, but the following core publications from the National Institute of Standards and Technology (NIST) should be reviewed and considered in relation to FISMA compliance:
The National Institute of Standards and Technology (NIST) is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems to further its statutory responsibilities under the Federal Information Security Management Act (FISMA) Public Law (P.L.) 107-347. It should be noted that the handling of classified information is consistent and matured across federal agencies, but that is not the case for Controlled Unclassified Information (CUI) and therefore Executive Order 13556 requires federal agencies and those providing services on their behalf to establish a CUI program to consistently manage, handle and protect all controlled unclassified information (CUI).
The National Archives and Records Administration (NARA) was designated as the federal agent to implement, oversee and ensure compliance. The Information Security Oversight Office is a component of NARA and directly oversee compliance and offers guidance and resources and has identify the security requirements in NIST SP 800-171 as a way to ensure compliance. Executive Order 13556 became effective November 16, 2016 and NARA has given federal agencies two years to fully implement a CUI program (refer to the visual below depicting the timeline as provided by NARA and Day 0 is November 16, 2016). It should be noted that NMSU has already seen the inclusion of NIST SP 800-171 requirements in awarded grants & contracts.
CUI Program at NMSU
NMSU is in the process of holistically reviewing, analyzing and assessing its impact to current NMSU systems and data as well as in the process of revising policies and procedures. For more information regarding the progress of implementing the CUI program at NMSU contact NMSU’s IT Compliance Officer at 575-646-5902.