= Federal Information Security Management Act = The '''Federal Information Security Management Act''' ('''FISMA''') identifies security controls on the use of [[UnitedStates/InformationLaw/PersonallyIdentifiableInformation|PII]] by federal agencies. <> ---- == Description == === Privacy Impact Assessment === Before records systems can be developed or purchased by a federal agency, they must undergo a '''Privacy Impact Assessment''' ('''PIA'''). This assessment weights the benefits of the system against the risks of PII misuse or leaks. It also assesses the quality and legal compliance of security controls used in and around the system. If an established records system that has not undergone a PIA will be ''newly'' used to store PII, it is now required to undergo a PIA. Similarly, the digitization of a records system that has not undergone a PIA is required to undergo a PIA. Exceptions are made for national security systems and paper records systems. === System of Records Notice === If a records system is approved by the PIA, the agency must publish a '''System of Records Notices''' ('''SORN''') informing the public of... * the type of PII that will be collected and stored * the agency's legal authority to collect this PII * the security controls used in and around the records system * how individuals can determine if their PII is stored in the records system * how individuals can obtain a copy of their PII from the records system SORNs are published in the Federal Register, and the publication must be completed before any collection may begin. === Disclosures === PII stored in a records system can only be disclosed if (1) the corresponding individual submits a written request to disclose, or (2) has given prior written consent to disclose. Aside from this, there are 12 categories of ''' permitted disclosures'''. 1. Disclosure to staff who have a need to know the PII 2. Disclosure as required by [[UnitedStates/InformationLaw/FreedomOfInformationAct|FOIA]] 3. Routine use of the records as established in the SORN 4. Disclosure to the [[UnitedStates/CensusBureau|Census Bureau]] for the purpose of conducting a census or survey 5. Disclosure for statistical analysis or reporting without individual data 6. Disclosure to the [[UnitedStates/NationalArchivesAndRecordsAdministration|NARA]] 7. Disclosure to a law enforcement agency for the purpose of a civil or criminal investigation 8. Disclosure for compelling or emergency circumstances affecting an individual's health or safety 9. Disclosure to Congress 10. Disclosure to the [[UnitedStates/GovernmentAccountabilityOffice|GAO]] 11. Disclosure persuant to court order 12. Disclosure to a consumer reporting agency === Office of Management and Budget Memoranda === '''OMB M-17-12''' requires agencies to disclose PII leaks, including... * Details on the incident and when it occured * How the incident was discovered * If leaked information was unencrypted * Steps being taken to protect affected individuals, including a point of contact * Details on the internal investigation and remediation ---- == History == FISMA was passed as part of the '''E-Government Act of 2002'''. The act was amended in 2014 by the '''Federal Information Security Modernization Act'''. ---- CategoryRicottone