Skip to Content

Federal Information Security Management Act (FISMA)

Care Coordination/Care Management
Medical Records Collection, Retention, and Access
Resource Use (Cost/Utilization) Measurement and Reporting

The Federal Information Security and Management Act: 


The Federal Information Security and Management Act of 2002 (FISMA) requires federal agencies to provide security protections for “information collected or maintained by or on behalf of the agency; and information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency.”1  FISMA applies to both federal government agencies and organizations that possess federal information, but only if they are using it on behalf of a federal agency.2  For example, FISMA applies to state agencies employing federal programs, including Medicare and Medicaid. 

The purpose of FISMA is to provide for the development and maintenance of minimum controls necessary to protect federal information and information systems commensurate with the risk and magnitude of harm resulting from unauthorized access, use, or disclosure.3  FISMA applies to all federal information including data, information systems, and information technology (i.e. networks and computers), all forms of information (such as paper, electronic and audio), and all types of information (including sensitive and personally identifiable information).4Generally, FISMA compliance requires agencies to:  1) Develop an agency-wide information security program;5 2) Conduct annual reviews on the effectiveness of the agency’s information security and privacy programs and report the results to OMB annually;6 and 3) Produce a complete and accurate inventory of all information systems, including their security status and requirements.7FISMA is overseen by the Office of Management and Budgets (OMB). 


Federal Information Security Modernization Act of 2014 (FISMA 2014):

In December 2014, FISMA was updated to authorize the Department of Homeland Security to aid OMB in the administration and implementation of information security policies. 




Current View


  • 1. Federal Information Security Management Act of 2002 (FISMA), 44 U.S.C. § 3544 (2006).
  • 2. Office of Mgmt. & Budget, Executive Office of the President, OMB M-10-15, FY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management 13-14 (2010) [hereinafter OMB M-10-15].
  • 3. See generally 44 U.S.C. § 3544.
  • 4. OMB M-10-15, supra note 211, at 5. 
  • 5. FISMA at § 3544(b).
  • 6. FISMA at §§ 3544(c); 3545(a).
  • 7. 44 U.S.C. § 3505.