FISMA
FISMA is the Federal Information Security Modernization Act of 2014 (Public Law 113-283), amending the Federal Information Security Management Act of 2002 + codified at 44 USC Chapter 35 Subchapter II (sections 3551-3559). FISMA is the US federal statutory framework for information security applying to all federal agencies (excluding national-security systems covered separately) + contractors operating systems on behalf of federal agencies. STATUTORY STRUCTURE: (a) Section 3551 PURPOSES; (b) Section 3552 DEFINITIONS; (c) Section 3553 AUTHORITY AND FUNCTIONS OF THE DIRECTOR OF OMB + CISA (Cybersecurity and Infrastructure Security Agency, at DHS) including BINDING OPERATIONAL DIRECTIVES (BODs) for federal civilian agencies; (d) Section 3554 FEDERAL AGENCY RESPONSIBILITIES - including agency CIO + CISO designations + agency-wide information security programs + risk assessments + incident reporting; (e) Section 3555 ANNUAL INDEPENDENT EVALUATION by agency Inspector General (IG); (f) Section 3556 FEDERAL INFORMATION SECURITY INCIDENT CENTER (US-CERT now CISA); (g) Section 3557 NATIONAL SECURITY SYSTEMS (NSS) - exclusion from FISMA + governed separately by CNSS + Intelligence Community Directive 503; (h) Section 3558 EFFECT ON EXISTING LAW; (i) Section 3559 SAVINGS PROVISIONS. OPERATIONALISATION: FISMA is implemented through: (1) NIST SP 800-53 Rev 5 (Security and Privacy Controls - 1,189 controls) - VERIFIED separately in graph; (2) NIST SP 800-37 Rev 2 (Risk Management Framework - Categorize + Select + Implement + Assess + Authorize + Monitor); (3) NIST SP 800-171 Rev 3 (Protecting Controlled Unclassified Information in Nonfederal Systems) for contractor systems; (4) FIPS 199 (system categorization Low + Moderate + High); (5) FIPS 200 (minimum security requirements); (6) FedRAMP (Federal Risk and Authorization Management Program for cloud) - VERIFIED separately in graph as FedRAMP Moderate + High + Rev 5 Program reference; (7) CISA Binding Operational Directives (BODs - e.g. BOD 22-01 KEV Catalog, BOD 23-01 Asset Visibility, BOD 23-02 Internet-Accessible Networking Devices); (8) OMB Memoranda (M-22-09 Zero Trust + M-22-18 SBOM + M-24-15 FedRAMP modernization). 2024-2025 PRIORITIES: ZERO TRUST ARCHITECTURE per OMB M-22-09 + CISA Zero Trust Maturity Model v2 + the National Cybersecurity Strategy + CIRCIA Final Rule 2026 alignment.
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (7)
FISMA: Annual Independent Evaluation (IG Audit) and OMB FISMA Report
| Code | Title |
|---|---|
| FISMA-3555-Annual-IG-Evaluation | Annual Independent Evaluation by Inspector General (44 USC 3555) |
FISMA: Coordination with FedRAMP, EO 14028, OMB Memoranda and Status
| Code | Title |
|---|---|
| FISMA-Coord-NIST-CSF-ISO27001-SOC2 | Coordination with NIST CSF 2.0, ISO 27001, SOC 2 and Industry Frameworks |
| FISMA-FedRAMP-Cloud-Coordination | FedRAMP for Cloud Services + 800-37 ATO Integration |
| FISMA-Reform-Pipeline | FISMA 2.0 Reform Pipeline, Legislative Activity and Future State |
| FISMA-Status-2024-2025 | FISMA Status, 2024-2025 Modernization, OMB FISMA Report and Reform Proposals |
| FISMA-Status-RefArchitecture | FISMA-Status-Reference-Architecture - Operationalisation Map |
FISMA: Federal Agency Responsibilities (CIO, CISO, Program, Reporting)
| Code | Title |
|---|---|
| FISMA-3554-Agency-Responsibilities | Federal Agency Responsibilities (44 USC 3554) - CIO + CISO + Program + Reporting |
FISMA: National Security Systems Exclusion + CIRCIA + Zero Trust
| Code | Title |
|---|---|
| FISMA-3556-FederalCIRC-3557-NSS | Federal Information Security Incident Center (44 USC 3556) + National Security Systems Exclusion (44 USC 3557) |
| FISMA-CIRCIA-ZTA-EO14028 | CIRCIA, Zero Trust Architecture, EO 14028 + 14110 + OMB Memoranda |
FISMA: OMB + CISA Authority + Binding Operational Directives
| Code | Title |
|---|---|
| FISMA-3553-OMB-CISA-BOD | OMB and CISA Authority and Binding Operational Directives (44 USC 3553) |
FISMA: Operationalisation via NIST 800-53 RMF + 800-171 + FIPS 199/200
| Code | Title |
|---|---|
| FISMA-NIST-800-53-RMF-800-171-FIPS | Operationalisation via NIST 800-53 + 800-37 RMF + 800-171 + FIPS 199 + FIPS 200 |
FISMA: Statutory Structure (44 USC 3551-3559) and Definitions
| Code | Title |
|---|---|
| FISMA-3551-3552-Purposes-Defs | Purposes and Definitions (44 USC 3551-3552) |
Your Compliance Coverage
If you comply with FISMA, you already cover:
BSI IT-Grundschutz
25%
3 controls mapped
Compare →Vietnam Law on Cybersecurity (No. 24/2018/QH14)
25%
3 controls mapped
Compare →Vermont Artificial Intelligence and Consumer Data Act (AICDA)
25%
3 controls mapped
Compare →+ 96 more: US Gramm-Leach-Bliley Act (GLBA) - Higher Education Safeguards Rule (25%), US EPA Safe Drinking Water Act (SDWA) - Cybersecurity Requirements (25%)
See all 99 mapped frameworks ↓Maps to 99 other frameworks
Frequently Asked Questions
What is FISMA?
FISMA is a compliance framework from United States with 7 domains and 12 controls. FISMA is the Federal Information Security Modernization Act of 2014 (Public Law 113-283), amending the Federal Information Security Management Act of 2002 + codified at 44 USC Chapter 35 Subchapter II (sections 3551-3559). FISMA is the US federal statutory framework for information security applying to all federal agencies (excluding national-security systems covered separately) + contractors operating systems on behalf of federal agencies. STATUTORY STRUCTURE: (a) Section 3551 PURPOSES; (b) Section 3552 DEFINITIONS; (c) Section 3553 AUTHORITY AND FUNCTIONS OF THE DIRECTOR OF OMB + CISA (Cybersecurity and Infrastructure Security Agency, at DHS) including BINDING OPERATIONAL DIRECTIVES (BODs) for federal civilian agencies; (d) Section 3554 FEDERAL AGENCY RESPONSIBILITIES - including agency CIO + CISO designations + agency-wide information security programs + risk assessments + incident reporting; (e) Section 3555 ANNUAL INDEPENDENT EVALUATION by agency Inspector General (IG); (f) Section 3556 FEDERAL INFORMATION SECURITY INCIDENT CENTER (US-CERT now CISA); (g) Section 3557 NATIONAL SECURITY SYSTEMS (NSS) - exclusion from FISMA + governed separately by CNSS + Intelligence Community Directive 503; (h) Section 3558 EFFECT ON EXISTING LAW; (i) Section 3559 SAVINGS PROVISIONS. OPERATIONALISATION: FISMA is implemented through: (1) NIST SP 800-53 Rev 5 (Security and Privacy Controls - 1,189 controls) - VERIFIED separately in graph; (2) NIST SP 800-37 Rev 2 (Risk Management Framework - Categorize + Select + Implement + Assess + Authorize + Monitor); (3) NIST SP 800-171 Rev 3 (Protecting Controlled Unclassified Information in Nonfederal Systems) for contractor systems; (4) FIPS 199 (system categorization Low + Moderate + High); (5) FIPS 200 (minimum security requirements); (6) FedRAMP (Federal Risk and Authorization Management Program for cloud) - VERIFIED separately in graph as FedRAMP Moderate + High + Rev 5 Program reference; (7) CISA Binding Operational Directives (BODs - e.g. BOD 22-01 KEV Catalog, BOD 23-01 Asset Visibility, BOD 23-02 Internet-Accessible Networking Devices); (8) OMB Memoranda (M-22-09 Zero Trust + M-22-18 SBOM + M-24-15 FedRAMP modernization). 2024-2025 PRIORITIES: ZERO TRUST ARCHITECTURE per OMB M-22-09 + CISA Zero Trust Maturity Model v2 + the National Cybersecurity Strategy + CIRCIA Final Rule 2026 alignment. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does FISMA have?
FISMA has 12 controls organised across 7 domains. The largest domains are FISMA: Coordination with FedRAMP, EO 14028, OMB Memoranda and Status (5 controls), FISMA: National Security Systems Exclusion + CIRCIA + Zero Trust (2 controls), FISMA: Annual Independent Evaluation (IG Audit) and OMB FISMA Report (1 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does FISMA map to?
FISMA maps to 99 other compliance frameworks. The top mapping partners are BSI IT-Grundschutz (25% coverage), Vietnam Law on Cybersecurity (No. 24/2018/QH14) (25% coverage), Vermont Artificial Intelligence and Consumer Data Act (AICDA) (25% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with FISMA compliance?
Start your FISMA compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about FISMA requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 12 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 700 frameworks.
Get Started Free →Free forever — no credit card required