Federal Information Security Management Act (FISMA) Implementation Project

The FISMA Implementation Project was established in January 2003 to produce several key security standards and guidelines required by Congressional legislation. These publications include FIPS 199, FIPS 200, and NIST Special Publications 800-53, 800-59, and 800-60. Additional security guidance documents include NIST SPs 800-37, 800-53, and 800-53A.

The first phase of the FISMA Implementation Project focuses on the development of the security standards and guidance required to effectively implement the provisions of the legislation. The second phase of the FISMA Implementation Project will focus on the development of a program for credentialing public and private sector organizations to provide security assessment services for federal agencies.

The FISMA Implementation project develops information security standards (Federal Information Processing Standards) and guidelines (Special Publications in the 800-series) for non-national security federal information systems, including the development of:

• Standards to be used by Federal agencies to categorize information and information systems based on the objectives of providing appropriate levels of information security according to a range of risk levels;
• Guidelines recommending the types of information and information systems to be included in each category; and
• Minimum information security requirements (management, operational, and technical security controls) for information and information systems in each such category.

Phase I:

• FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems (Final)
• FIPS Publication 200, Minimum Security Requirements for Federal Information and Federal Information Systems (Final
• NIST Special Publication 800-18, Revision 1, Guide for Developing Security Plans for Federal Information Systems (Final)
• NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems (Final)
• NIST Special Publication 800-30, Revision 1, (Draft), Guide for Conducting Risk Assessments, (publication refocused to address risk assessments during employment of the NIST Risk Management Framework).
• NIST Special Publication 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (Final)
• NIST Special Publication 800-39, Managing Information Security Risk: Organization, Mission, and Information System View (Final)
• NIST Special Publication 800-53 Revision 3, Recommended Security Controls for Federal Information Systems and Organizations (Final)
• NIST Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems (Final)
• NIST Special Publication 800-53A, Revision 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans (Final)
• NIST Special Publication 800-59, Guide for Identifying an Information System as a National Security System (Final)
• NIST Special Publication 800-60, Revision 1, Guide for Mapping Types of Information and Information Systems to Security Categories (Final)
• NIST Special Publication 800-128, Guide for Security-Focused Configuration Management of Information Systems (Final)
• NIST Special Publication 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations

Phase II:

• NISTIR 7328, Security Assessment Provider Requirements and Customer Responsibilities; Building a Security Assessment Credentialing Program (Draft)
• FAQ’s (Frequently Asked Questions) and QSG’s (Quick Start Guides) for Risk Management Framework Steps: Categorize, Select, Implement, Assess, Authorize, Monitor; Training Modules.
• On-line Course Available: "Applying the Risk Management Framework to Federal Information Systems"