In plain terms. FISMA 2014 is the law that sets how federal agencies must run their cybersecurity. It updated the 2002 version to keep pace with modern information and communications technology.
Who it applies to. Federal agencies directly. Contractors are affected indirectly: the security standards agencies adopt under FISMA flow down into the contracts and systems you operate on their behalf.
What it requires.
- Each agency head may delegate day-to-day security compliance to the agency's Chief Information Officer (CIO).
- Each agency's Inspector General (or an outside independent auditor, if the agency has no IG) performs an independent security assessment every year.
- It created a central federal incident center to give agencies technical help, analyze threats, and warn operators of vulnerabilities.
- It tasked the Office of Management and Budget (OMB) Director with defining what counts as a "major incident," keeping breach-notification policies current, and notifying Congress when a major incident occurs.
Why it matters. FISMA is the backbone of federal information security. The standards it drives (largely NIST publications) are what ultimately appear as contract security requirements, so its rules shape what contractors must implement.
Citation. Pub. L. 113-283 (Dec. 18, 2014).
NIST FIPS 199/200 and SP 800-53 (federal systems); SP 800-171 (CUI on contractor systems); OMB annual FISMA guidance (currently M-25-04).