What does FISMA require and how does RMF relate?

• A. FISMA is private-sector; RMF unrelated
• B. FISMA requires federal information security; RMF provides a DoD/Navy approach to implementing controls to meet FISMA.
• C. FISMA stands for Federal Information System Management Act; RMF sets encryption algorithms
• D. RMF replaces FISMA; FISMA obsolete

Answer: (C)

FISMA requires federal agencies to protect information and information systems with a formal, risk-based information security program, including documented processes, periodic assessments, authorization, and ongoing monitoring. RMF provides the practical way to implement those requirements. It gives a structured, repeatable process for selecting and applying security controls (from a standard catalog, such as NIST SP 800-53), tailoring them to the system’s impact level, implementing and assessing them, obtaining authorization to operate, and continuously monitoring the security posture. RMF is not about prescribing encryption algorithms; encryption is one of many possible controls within the catalog, chosen based on risk. The DoD/Navy have adopted RMF as their approach to meet FISMA, but RMF itself is a broader framework used across federal agencies to achieve compliant, ongoing security.