Skip to main content

Submitting FISMA Reports to GAO

About FISMA

The Federal Information Security Modernization Act of 2014 (FISMA) provides a cybersecurity framework to help protect federal operations and assets. FISMA requires agencies to develop, document, and implement an agency-wide program to secure federal IT systems and data.

FISMA requires agencies to develop, document, and implement an agency-wide program to secure federal information systems and data. These information security programs are to provide risk-based protections for the information and information systems that support the operations and assets of the agency.

Annual Reporting Requirement

FISMA also requires federal agency Inspectors General, or a designated external auditor, to annually assess the effectiveness of the information security policies, procedures, and practices of their parent agency. In addition, the act requires agencies to report annually to GAO, among others, on the adequacy and effectiveness of their information security policies, procedures, and practices.

How to Submit

Agencies can submit their annual FISMA reports to GAO by

  • emailing FISMA@gao.gov
  • mailing a physical copy to:

    Government Accountability Office
    C/O: Jennifer Franks, Information Technology & Cybersecurity Team
    441 G Street, NW
    Washington, D.C. 20226

Questions? Need more information?

Contact FISMA@gao.gov

Jump To: