• United States



Do States Need FISMA Compliance? It depends. (Part 2 of 2)

Dec 07, 20062 mins
Identity Management SolutionsIT Leadership

Depending on who you talk to, the Federal Information Security Management Act (FISMA) is either the greatest thing in the world or a government bureaucratic mess. Is FISMA coming soon to a state or local government near you? Isn’t the first word “Federal?”

A few things are clear:

1)      FISMA compliance has posed significant challenges for federal agencies. Hundreds of articles have been written about FISMA compliance, the infamous report cards – where eight agencies, including the departments of Defense, State and Homeland Security, received failing F grades, and another five agencies received grades between D+ and D-. Seven agencies, including the Department of Labor and the Social Security Administration, received grades of A- or better.

2)      State and local governments receive a large percentage of their IT dollars from the feds. In Michigan, approximately 60% of our IT budget comes from the federal government. Some states get more, some less, but the dollars are huge.

3)      There has been no formal OMB decision (that I am aware of) on whether state agencies must comply with FISMA security requirements for systems that receive federal information or dollars.   

4)      While state and local governments can separate out federal from non-federal systems as far as compliance goes, it’s very difficult when systems are so interconnected. Many of the compliance directives deal with networks and even such areas as privacy on websites. Most locals are trying to move away for stovepipes for efficiency reasons.

5)      Federal auditors are showing up in the states now. They are often interpreting FISMA guidance as proof that state systems that are acting as custodians of federal information and/or receiving federal dollars must comply. Questions arise around how fully…

6)      I suspect that this will be tested formally by some state or local government at some point and viewed as an unfunded mandate.

In the meantime, I’d advise state and local IT professionals to at least start reading up on FISMA. You can also start to get that security wording into new contracts where you are custodians of federal data and receive federal dollars. 

Bottom line, stay tuned. This show is just beginning – and I expect multiple episodes.

 I also value your comments. What’s your viewpoint?


Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist and author. During his distinguished career, Dan has served global organizations in the public and private sectors in a variety of executive leadership capacities, including enterprise-wide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan State Government. Dan was named: "CSO of the Year," "Public Official of the Year," and a Computerworld "Premier 100 IT Leader." Dan is the co-author of the Wiley book, “Cyber Mayday and the Day After: A Leader’s Guide to Preparing, Managing and Recovering From Inevitable Business Disruptions.” Dan Lohrmann joined Presidio in November 2021 as an advisory CISO supporting mainly public sector clients. He formerly served as the Chief Strategist and Chief Security Officer for Security Mentor, Inc. Dan started his career at the National Security Agency (NSA). He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US / UK military facility. Lohrmann is on the advisory board for four university information assurance (IA) programs, including Norwich University, University of Detroit Mercy (UDM), Valparaiso University and Walsh College. Earlier in his career he authored two books - Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD For You: The Guide to Bring Your Own Device to Work. Mr. Lohrmann holds a Master's Degree in Computer Science (CS) from Johns Hopkins University in Baltimore, Maryland, and a Bachelor's Degree in CS from Valparaiso University in Indiana.

More from this author