Federal Information Security Management Act (FISMA)
Contractor Monitoring and Controls[1]
36. Must Government contractors abide by FISMA requirements?
Yes. Also, each agency must ensure their contractors are abiding by FISMA requirements. Section 3544(a)(1)(A)(ii) describes Federal agency security responsibilities as including “information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency.” Section 3544(b) requires each agency to provide information security for the information and “information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.” This includes services which are either fully or partially provided, including agency hosted, outsourced, and software-as-a-service (SaaS) solutions. Because FISMA applies to both information and information systems used by the agency, contractors, and other organizations and sources, it has somewhat broader applicability than prior security law. That is, agency information security programs apply to all organizations (sources) which possess or use Federal information – or which operate, use, or have access to Federal information systems (whether automated or manual) – on behalf of a Federal agency. Such other organizations may include contractors, grantees, State and local Governments, industry partners, providers of software subscription services, etc. FISMA, therefore, underscores longstanding OMB policy concerning sharing Government information and interconnecting systems.
References
- ↑ questions and answers, Oct. 2015; https://www.whitehouse.gov/sites/default/files/omb/assets/memoranda_2010/m10-15.pdf