FISMA began as the Federal Information Security Act of 2002. The act was a rudimentary form of what we have now as FISMA 2014 – it required every federal agency to develop a security program for information systems. The act emphasized ‘risk-based’ security programs, meaning the program would vary between agency to agency. FISMA was important because it brought attention to cybersecurity amongst federal agencies, and required agency officials to conduct annual reviews of the security program and report it to the Office of Management and Budget (OMB).
The FISMA act of 2002 was later amended by the FISMA act of 2014, and this was in response to increasing cyber attacks. The FISMA act of 2014 was especially important because it tied together the previous stipulations of FISMA 2002, RMF, and the SP 800-53. FISMA 2014 included SP 800-37, which entailed the guidelines for implementing RMF. Titled “Guide for Applying the Risk Management Framework To Federal Information Systems: A Security Lifecycle Approach”, it essentially made implementing RMF more clear and closely tied FISMA and RMF.
