Federal Information Security Management Act (FISMA)

About FISMA

The Federal Information Security Management Act of 2002 (FISMA) is a law requiring protection of the sensitive data created, stored, or accessed by the Federal Government or any entity on behalf of the Federal Government. The law established a formal Certification and Accreditation (C&A) process that requires a minimum set of security controls and a formal audit prior to obtaining an "Authority to Operate", or ATO.   In April 2010, the Office of Management and Budget issued a Memorandum requiring each Federal Agency to report its FISMA activities to Congress. This memo also reiterated the requirement that Agencies include FISMA requirements in ALL contracts involving sensitive data, as well as grants where sensitive information is created, accessed, or stored on behalf of the Federal Government.    Compliance with FISMA may be a requirement of a government contract and possibly a grant. The FISMA process recognizes that not all sensitive information has the same level of risk and has identified three security categories to identify systems: Low, Moderate, and High.

Guidance Statement

In the course of preparing grant applications or conducting a sponsored project, Dartmouth's faculty, staff and students may plan to collect information that may include both academic, research, protected health or personal related data. Dartmouth and its employees, under U.S federal and state data privacy and security laws, have an obligation to implement appropriate safeguards to protect such confidential information residing both inside and outside of the United States. For a particular sponsored project, there may be requirements placed by external entities on the use of their data and data sets for the protection of human subject research.   In addition, certain funding announcements may include complex terms such as Federal Information Security Management Act (FISMA), NIST 800-53, and the Family Educational Rights and Privacy Act (FERPA).

Recommended Procedures

1. Identify and understand data security requirements:   Data security requirements may be more complex than they appear. Carefully review the funding announcement and provide a copy to OSP. Unusual data security requirements are typically addressed in the sponsor's announcement/solicitation. The types of solicitations that may include such a requirement are Broad Agency Announcements (BAA), Requests for Proposal (RFP), Data Use Agreements (DUA) and Requests for Quote (RFQ). The most often cited references to the requirements are The Health Insurance Portability and Accountability Act (HIPAA) but announcements could also mention other regulations such as FISMA.
2. Evaluate your resources and consult with IT:  Many researchers and departments may not have the required financial, IT, and human resources to implement and support such requirements.  When submitting proposals to external sponsors, budgets should be developed with a full understanding of costs related to IT and information security roles and responsibilities, and in advance of entering into a sponsored research agreement with a sponsor.  If you are preparing a proposal in response to a solicitation with an information and/or data security requirement, be sure to consider and include the cost of implementing this requirement in the proposal budget.
3. Allow time and budget for costs involved in setting up infrastructure.
4. Contact Dartmouth resources below for assistance.

Audience for Guidance

• Dartmouth Information Security Committee
• All members of the research community
• Computing Staff (Central, Divisional and Local)
• Department research administrators and OSP
• Deans, directors, and department heads

Resources

• Office of Sponsored Projects:  Dartmouth College's Office of Sponsored Projects is a service to provide efficient and effective mechanisms for preparing, submitting and managing sponsored awards for research and other programs. Award and regulatory terms and conditions may include requirements for information and data security.   Investigators and their research teams must be aware of these requirements and seek assistance and guidance to assure compliance.
• Chief Information Security Officer: The Chief Information Security Officer (CISO) reports to the CIO, and works to advance information security policy and awareness/training on the Dartmouth campus. The CISO is responsible for: Information Security Governance, Policy, Training, and Continuous improvement. 
• Chief Information Officer: The CIO leads Dartmouth's Computing Services, including management of the College's data centers, application development, IT support, academic computing and classroom technology services, and IT security.

Policy and Regulatory References

• Dartmouth Information Security Policy (DISC Policy)
• OMB Memo on FISMA (with respect to grants and contracts involving use of government information) 
• Federal Information Security Management Act (FISMA)
• Implementation Project FISMA website
• NIAID Data Security Standard Operating Procedure
• NIST Risk management framework (RMF) ---frequently asked questions (FAQ's), Roles and responsibilities & quick start guides (QSG's)