In plain terms. The original FISMA (2002) made information security a legal duty for federal agencies and put the Office of Management and Budget in charge of overseeing it. It is part of the Homeland Security Act of 2002.
Who it applies to. Federal agencies, plus any organization or contractor that operates an information system on an agency's behalf.
What it requires.
- The OMB Director sets information-security standards, oversees how agencies implement them, and ensures protections match the risk and potential harm.
- Standards are based on NIST work and are binding on agencies; they set minimum controls but may not dictate specific hardware or software, so agencies keep flexibility and can use commercial off-the-shelf products.
- Every agency must build an agency-wide security program approved by OMB and run an independent annual evaluation of its effectiveness.
Why it matters. FISMA 2002 created the framework — risk-based, NIST-driven, independently audited — that still governs federal security and, through flow-down, the requirements contractors must meet.
Citation. Pub. L. 107-296 (Nov. 25, 2002).
Superseded — see FISMA 2014 and its NIST/OMB implementation.