The Federal Information Security Management Act (FISMA) was signed into law in
2002 as part of the Electronic Government Act. Recognizing that both the national
and economic security of United States is grounded on having a robust information
security infrastructure, FISMA compels each federal agency to build and implement
programs to ensure the security (confidentiality, integrity, and availability) of
the agency’s information. The law applies to all federal agencies, their contractors,
and anyone else that handles the information used to support the operations of the
agency. FISMA relies on the security categorizations and definitions provided by
Federal Information Processing Standard (FIPS) (199, 200) in order to fulfill its
goal of ensuring confidentiality, integrity and availability of federal information.
How does this affect small business?
Under the interim rule issued in December 2015, DoD contractors must adhere to two
basic cyber security requirements. Companies need to be fully compliant by December
31, 2017. They must provide adequate security to safeguard covered defense information
that resides in or transits through their internal unclassified information systems
from unauthorized access and disclosure. They must also rapidly report cyber incidents
and cooperate with DoD to respond to these security incidents, including access to
affected media and submitting malicious software.