FISMA

The Federal Information Security Modernization Act (FISMA) defines a framework of guidelines and security standards to protect government information and operations. FISMA was originally passed as the Federal Information Security Management Act in 2002 as part of the E-Government Act.

FISMA metrics are aligned to the five functions outlined in NIST's Framework for Improving Critical Infrastructure and Cybersecurity:

Identify, Protect, Detect, Respond, and Recover.

FISMA DETERMINATION RUBRICS:

FISMA Determination Rubric

General FISMA Determination Rubric

Use this rubric to determine if your AI/ML research project requires FISMA compliance. Adjust the dropdowns below to see how different factors impact compliance requirements.

Funding Source

Funding Score: 0

Data Source

Data Source Score: 0

Data Sensitivity

Data Sensitivity Score: 0

System Integration

System Integration Score: 0

Total Score: 0

0/12

FISMA Determination Rubric

FISMA Determination Rubric for NIH-Funded AI/ML Research

Use this rubric to determine if your NIH-funded AI/ML research project requires FISMA compliance. Adjust the dropdowns below to see how different factors impact compliance requirements.

Funding Source

Funding Score: 0

Data Source

Data Source Score: 0

Data Sensitivity (NIH Security Tier)

Data Sensitivity Score: 0

System Integration

System Integration Score: 0

Total Score: 0

0/12

FISMA BACKGROUND INFORMATION:

Not all projects need to be FISMA-compliant—it depends on the type of data, funding source, and institutional requirements. You can use the ARCH FISMA Determination rubrics to determine whether FISMA applies to a given AI/ML project in biomedical and clinical healthcare research:

When FISMA Compliance is required:

FISMA applies to projects that:

Receive federal funding: If the project is funded by a U.S. federal agency (e.g., NIH, NSF, DoD, VA, HHS, FDA) and involves federal data systems, FISMA likely applies.
Handle federal data: If the research uses, stores, or transmits government-provided biomedical or clinical datasets, it must comply with FISMA.
Integrate with federal systems: If an AI/ML model connects to or integrates with a government system (e.g., VA, CDC, FDA, CMS), it must follow FISMA.
Uses cloud services for federal work: If AI/ML is deployed on cloud services for federally funded research, it may need to use FedRAMP-certified platforms (AWS GovCloud, Microsoft Azure Government, Google Cloud for Government).

When FISMA Compliance is not required:

FISMA does not apply if:

The project is privately funded (e.g., industry, nonprofit, university grant) and does not use federal resources.
The research does not involve federal data (e.g., self-collected clinical trial data that is not connected to government systems).
The AI/ML tool is for open academic research, not directly tied to federal infrastructure.
The work involves publicly available data (e.g., open-access biomedical datasets, synthetic data).

Hybrid Scenarios/Partial FISMA Compliance:

Some projects may need partial FISMA compliance, such as:

Collaborations with federal agencies where only a subset of data requires secure handling.
University research projects that later transition to federal funding, requiring phased FISMA adoption.
Public-private partnerships where industry follows different security standards (e.g., ISO 27001, HITRUST, HIPAA) but interacts with FISMA-controlled datasets.

FISMA

FISMA DETERMINATION RUBRICS:

General FISMA Determination Rubric

FISMA Determination Rubric for NIH-Funded AI/ML Research

FISMA BACKGROUND INFORMATION:

Not all projects need to be FISMA-compliant—it depends on the type of data, funding source, and institutional requirements. You can use the ARCH FISMA Determination rubrics to determine whether FISMA applies to a given AI/ML project in biomedical and clinical healthcare research:

When FISMA Compliance is required:

FISMA applies to projects that:

Receive federal funding: If the project is funded by a U.S. federal agency (e.g., NIH, NSF, DoD, VA, HHS, FDA) and involves federal data systems, FISMA likely applies.

Handle federal data: If the research uses, stores, or transmits government-provided biomedical or clinical datasets, it must comply with FISMA.

Integrate with federal systems: If an AI/ML model connects to or integrates with a government system (e.g., VA, CDC, FDA, CMS), it must follow FISMA.

Uses cloud services for federal work: If AI/ML is deployed on cloud services for federally funded research, it may need to use FedRAMP-certified platforms (AWS GovCloud, Microsoft Azure Government, Google Cloud for Government).

When FISMA Compliance is not required:

FISMA does not apply if:

The project is privately funded (e.g., industry, nonprofit, university grant) and does not use federal resources.

The research does not involve federal data (e.g., self-collected clinical trial data that is not connected to government systems).

The AI/ML tool is for open academic research, not directly tied to federal infrastructure.

The work involves publicly available data (e.g., open-access biomedical datasets, synthetic data).

Hybrid Scenarios/Partial FISMA Compliance:

Some projects may need partial FISMA compliance, such as:

Collaborations with federal agencies where only a subset of data requires secure handling.

University research projects that later transition to federal funding, requiring phased FISMA adoption.

Public-private partnerships where industry follows different security standards (e.g., ISO 27001, HITRUST, HIPAA) but interacts with FISMA-controlled datasets.