🇺🇸 Live Defense & National Security

FISMA — Federal Information Security Modernization Act (44 U.S.C. §3551-3558)

Requires US federal agencies to develop, implement, and maintain information security programs.

View official source document

Rules extracted

174

Obligations decomposed

14.5x

Avg obligations per rule

🇺🇸 United States

Jurisdiction

About this regulation

FISMA 2014 (Public Law 113-283) modernizes the Federal Government's cybersecurity practices by codifying DHS authority to administer information security policies for non-national-security federal systems, strengthening OMB oversight, mandating continuous monitoring, requiring agency CIOs to develop risk-based security programs, and establishing CISA as the federal incident response center. It amends Subchapter II of Chapter 35 of Title 44, replacing the original FISMA 2002 provisions. Agencies must implement NIST-developed security standards (FIPS) and guidelines (SP 800-series), obtain Authority to Operate (ATO) for each system, report incidents to CISA, and undergo annual IG evaluations. OMB Circular A-130 supplements FISMA with detailed requirements for managing federal information resources, including security planning, risk management, and supply chain risk management.

What AuditDSS covers

Source

Regulation

Extracted

Rules

Decomposed

174

Obligations

14.5x

Decomposition ratio

Each rule is decomposed into an average of 14.5 atomic obligations — the smallest testable units that can be independently violated.

Fully extracted & scored

All 174 obligations have been decomposed, titled, risk-scored, and embedded for semantic matching.

Risk scoring

Every obligation in FISMA is scored across independent risk dimensions:

Obligation Weight

How critical within the regulatory framework

Violation Likelihood

How often breached in practice

Enforcement Evidence

Regulator enforcement history and penalties

Cascade Dependency

How many obligations depend on this one

Regulatory details

Full title: FISMA — Federal Information Security Modernization Act (44 U.S.C. §3551-3558)
Regulatory body: Office of Management and Budget
Jurisdiction: 🇺🇸 United States
Document type: statute
Effective date: December 18, 2014
Issuing authority: United States Congress
Industry: Defense & National Security
Official source: View source document ↗

Who this applies to

federal agenciesagency CIOsinspectors generalcontractorscloud service providers

Key requirements

agency information security programs
risk assessments
NIST 800-53 security controls
system authorization (ATO)
continuous monitoring
incident reporting to CISA
annual IG evaluations
FISMA metrics and scoring
supply chain risk management
FedRAMP cloud security

Frequently asked questions about FISMA

What is FISMA?

Who does FISMA apply to?

FISMA applies to federal agencies, agency CIOs, inspectors general, contractors, cloud service providers.

How many obligations does FISMA contain?

AuditDSS has decomposed FISMA into 174 atomic obligations from 12 rules. Each obligation is independently testable and risk-scored.

What are the key requirements of FISMA?

The key requirements include: agency information security programs, risk assessments, NIST 800-53 security controls, system authorization (ATO), continuous monitoring, incident reporting to CISA, annual IG evaluations, FISMA metrics and scoring, supply chain risk management, FedRAMP cloud security.

How can I assess my FISMA compliance?

Upload your compliance policy to AuditDSS. The platform maps your document against all 174 FISMA obligations using deterministic AI scoring — not checklists or LLM summaries. You get a risk-scored gap analysis showing exactly which obligations are covered, partially covered, or missing.

Which jurisdiction enforces FISMA?

FISMA is enforced in United States by Office of Management and Budget.

When did FISMA come into effect?

FISMA became effective on December 18, 2014.

What industry does FISMA apply to?

FISMA is primarily relevant to the Defense & National Security industry. AuditDSS covers 69 regulations in this industry sector.

Build a FISMA compliance pack

Don't have a compliance policy yet? AuditDSS generates a complete compliance pack for FISMA — alone or combined with other regulations your business needs. Every clause is mapped to specific obligations.

Policy

High-level commitments and governance framework covering FISMA requirements.

Procedures

Step-by-step operational procedures to implement each policy commitment.

Forms & checklists

Ready-to-use forms, registers, and checklists for day-to-day compliance operations.

Multi-regulation

Combine FISMA with other regulations into a single unified compliance pack for your business.

Build FISMA compliance pack

Already have a policy? Assess it against FISMA

Upload your document

Upload your compliance policy, program manual, or operational document. AuditDSS accepts any text-based document.

AI maps against 174 obligations

Your document is scored against every obligation in FISMA. Each claim is mapped to the obligation tree and evaluated for coverage.

Risk-scored gap report

Receive every gap ranked by risk priority with remediation guidance, enforcement evidence, and cascade impact analysis.