FISMA’s Effect on State Agencies
OMB clarified the reach of FISMA in its FY 2006 FISMA reporting instructions to Federal agencies:
“Agency IT security programs apply to all organizations which possess or use Federal information on behalf of a Federal agency…including contractors, grantors, State and Local Governments, etc.”
“Agencies must ensure identical, not equivalent, security procedures. For example, annual reviews, risk assessments, security plans, control testing, contingency planning, and certification and accreditation must, at a minimum, explicitly meet guidance from NIST.” OMB 2006