is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002 (Pub.

[1] FISMA has brought attention within the federal government to cybersecurity and explicitly emphasized a "risk-based policy for cost-effective security.

"[1] FISMA requires agency program officials, chief information officers, and inspectors general (IGs) to conduct annual reviews of the agency's information security program and report the results to Office of Management and Budget (OMB).

OMB uses this data to assist in its oversight responsibilities and to prepare this annual report to Congress on agency compliance with the act.

FISMA assigns specific responsibilities to federal agencies, the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) in order to strengthen information security systems.

In particular, FISMA requires the head of each agency to implement policies and procedures to cost-effectively reduce information technology security risks to an acceptable level.

NIST performs its statutory responsibilities through the Computer Security Division of the Information Technology Laboratory.

NIST hosts the following: FISMA defines a framework for managing information security that must be followed for all information systems used or operated by a U.S. federal government agency in the executive or legislative branches, or by a contractor or other organization on behalf of a federal agency in those branches.

Agencies have flexibility in applying the baseline security controls in accordance with the tailoring guidance provided in Special Publication 800-53.

This allows agencies to adjust the security controls to more closely fit their mission requirements and operational environments.

One then determines risk by calculating the likelihood and impact that any given vulnerability could be exploited, taking into account existing controls.

Large changes to the security profile of the system should trigger an updated risk assessment, and controls that are significantly modified may need to be re-certified.

Continuous monitoring activities include configuration management and control of information system components, security impact analyses of changes to the system, ongoing assessment of security controls, and status reporting.

The organization also establishes the schedule for control monitoring to ensure adequate coverage is achieved.