INFORMATION SYSTEMS SECURITY REQUIREMENTS
FISMA: FEDERAL INFORMATION SECURITY MANAGEMENT ACT OF 2002
FISMA requires each federal agency to develop, document and implement information security programs for data and information systems (IS) that support the agency’s mission, operations, and assets.
FISMA compliance does not stop with the federal agency. Often it extends to data and IS provided or managed by an institution working under a federal contract or subcontract.
Not all federal contracts/subcontracts include FISMA terms; there are only a handful across Mass General Brigham. The small number does not make non-compliance any less of a risk. The PI should review the RFP and contract/subcontract terms to determine whether the project is subject to FISMA. The most common FISMA terms are FAR Clause 39.201 or HHSAR Clauses 352.239-70 through 352.239-74. Sometimes, the federal agency inserts its own clause simply entitled “FISMA.”
Engaging with the Mass General Brigham Research Computing Core and Pre-Award as soon as possible is strongly recommended. A contract with FISMA terms will not be accepted by a hospital without sign-off by MGB Research Computing confirming that the FISMA terms can be met. To assist PIs and Departments in navigating FISMA requirements when preparing a proposal through post-award compliance with FISMA requirements, we have developed a FISMA SOP and post-award tools.
FISMA REQUIREMENTS
Not all FISMA requirements are the same. They are based on:
- Standards defined by the National Institute for Standards and Technology (NIST), and
- Sensitivity level assigned to the IS associated with the contract’s scope of work.
Requirements may include:
- Annual training of employees who have system access within the project and/or Mass General Brigham IS, or
- Development of a complex security assessment, subject to agency approval, that incorporates employee background and credit checks, fingerprinting, and FBI review. The assessment must be reviewed on an annual basis.
If a contract/subcontract includes FISMA requirements, the Mass General Brigham Research Computing Core is available to provide the above services at a fee. These costs are the responsibility of the PI/Department.
- With prior approval of the agency/contracting officer, they may be direct charged to the contract.
- Without agency approval, they must be covered by Sundry or other institutional funds.
Federal agencies typically require submission of a risk assessment and/or security plan with the contract/subcontract proposal. It can take 30 to 90 days to conduct an assessment and draft a security plan.
FedRAMP: FEDERAL SPONSORED RESEARCH CONTRACTS WITH INFORMATION SECURITY TERMS
FedRAMP terms are not the same as FISMA terms. FedRAMP requires each federal agency throughout the lifecycle of federal contracts and subcontracts to develop technical security or procedures, annual IS reports to federal sponsors, employee rosters, and/or background checks that are not standard for Mass General Brigham institutions. FedRAMP IS requirements also apply to cloud services; consult with ERIS if you need assistance with Cloud models. FedRAMP IS terms may also be referenced as DFARS Clause 252.204.7012.
The PI should review the RFP and contract/subcontract to determine whether the project is subject to FedRAMP and contact the Mass General Brigham Research Computing Core for an assessment and FedRAMP plan prior to submitting the proposal to Pre-Award. A contract with FedRAMP requires sign-off by the Director of ERIS to confirm that the FedRAMP requirements have been met to date and can continue to be met.
Additionally, the PI is responsible for contacting ERIS, Mass General Brigham Research Information Security Office (RISO), and their hospital’s Information Security Officer (ISO) 90 days prior to the date annual reports are due. To assist PIs and Departments in navigating FedRAMP requirements, a FedRAMP SOP has been developed.