Skip to Navigation
Skip to Main content
OIG Home
OIG Home


Skip SHARE THIS PAGE section Skip STAY CONNECTED section


The Federal Information Security Management Act of 2002 (FISMA), codified the importance of information security to the economic and national security interests of the United States. FISMA requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

FISMA has brought attention within the federal government to cybersecurity and explicitly emphasized the need for cost-effective, risk-based security programs. FISMA requires Inspectors General, as well as agency program officials and Chief Information Officers, to conduct annual reviews of the agency's information security program and report the results to the Office of Management and Budget (OMB). OMB uses these data to assist in its oversight responsibilities and to prepare an annual report to Congress on agency compliance with the act.


To produce security standards and guidelines for FISMA, the National Institute of Standards and Technology (NIST) established the FISMA Implementation Project in 2003. The project aims to support the implementation of and compliance with FISMA standards. Per FISMA, an effective information security program should include, among other things,

  • periodic assessments of risk, including the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the organization
  • policies and procedures that are based on risk assessments, cost-effectively reduce information security risks to an acceptable level, and ensure that information security is addressed throughout the life cycle of each organizational information system
  • security awareness training to inform personnel of information security risks
  • periodic testing and evaluation of the effectiveness of information security policies, procedures, practices, and security controls
  • a process for planning, implementing, evaluating, and documenting remedial actions to address any deficiencies
  • procedures for detecting, reporting, and responding to security incidents
  • plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the organization

In support of FISMA, OMB requires executive agencies within the federal government to

  • plan for security
  • ensure that appropriate officials are assigned security responsibility
  • periodically review the security controls in their information systems
  • authorize system processing prior to operations and periodically thereafter

A key element of the FISMA Implementation Project is NIST's integrated Risk Management Framework, which effectively brings together all of the FISMA-related security standards and guidance to promote the development of comprehensive and balanced information security programs by agencies.

OIG Reporting Metrics

OIGs are not expected to conduct their own full risk analysis but rather to evaluate how agencies are evaluating risk and prioritizing security issues. OIGs are encouraged to evaluate agency findings and compare them to existing agency priorities, administration priorities, and key FISMA metrics.

Our office assesses the information security programs of the Board and the CFPB in the following 11 areas:

  • continuous monitoring management
  • configuration management
  • identity and access management
  • incident response and reporting
  • risk management
  • security training
  • plans of action and milestones
  • remote access management
  • contingency planning
  • contractor systems
  • security capital planning

We evaluate 96 attributes across these 11 areas and determine whether the Board and the CFPB have established a program for information security in each area. We then determine whether specific elements were in place for each program and report the data to OMB.



See common Information Technology questions and answers.