SF - 2.12.0 - FISMA

SF - 2.12.0 - FISMA

The Federal Information Systems Management Act, or FISMA, is a law in the United States, and therefore only applies to American systems.  It also primarily applies to American government systems.  Its significance to the broader field of information security is that Americans tend to assume that their laws apply to anyone else who is dealing with American companies or government agencies.  I have mentioned the Sarbanes Oxley law, which is an American law, but which contains wording that is similar to those in various other American laws, stating that, if you do significant business with an American company, you are deemed to have accepted that this law applies to you.  The law assumes that you have deemed to have accepted that this law applies to you even if you don't even know that this law exists.

An additional issue with FISMA is that it really only says and specifies that you need to apply appropriate protection to any information management system.  The protection that you need to apply needs to be appropriate to the importance of the information contained within the system.  The details of what particular programs are important, and what the protections for these systems are are related in various additional standards, such as the National Information Assurance Certification and Accreditation Process (NIACAP)‏, the National Institute of Standards and Technology outline ((which tends to also apply to non-government systems), the Defense Information Technology Systems Certification and Accreditation Process (DITSCAP)‏, and Director of Central Intelligence Directive 6/3.

Security frameworks (SF) series:

Previous: https://fibrecookery.blogspot.com/2026/06/sf-2090-common-criteria.html

Introduction and ToC: https://fibrecookery.blogspot.com/2026/06/security-frameworks-sf-0000-intro-and.html

Next: TBA