Understanding and achieving FISMA compliance on Oracle Cloud for Government

May 12, 2022 | 3 minute read
Aditya Uppu
Solution Architect, Oracle Cloud Infrastructure - Public Sector
Text Size 100%:

Governments are continuing the migration from on-premises solutions to cloud solutions and trying to transition their security practices to the cloud too. Customers are faced with implementing a multitude of security standards and controls, and some ambiguity might exist around what the standards mean or how the standards and control apply to their use case and deployment.

At Oracle, we’re committed to assisting our customers to address the challenges of the constantly evolving and complex regulatory environment. This post focuses on the Federal Information Security Management Act (FISMA). Here, we outline the relationship between various security standards with the intent of support customers looking to migrate existing or build new solutions on Oracle Cloud Infrastructure (OCI) in US Government regions.

What is FISMA?

The Federal Information Security Management Act (FISMA) ensures that all federal agencies follow security standards to safeguard and protect sensitive data. FISMA compliance is a set of data security guidelines established by FISMA and National institute of Standards and Technology (NIST). Originally only applicable to federal agencies, FISMA compliance has evolved over time to include state agencies that manage federal programs, such as Medicare, Medicaid, and unemployment insurance. The compliances standards are also applicable for vendors and companies with contracts to work with federal agencies. One of the prime goals of FISMA is to ensure risk management program implementation, information protection, unauthorized access such as destruction and modification, and securing the integrity, confidentiality, and availability of sensitive information.

FISMA requirements also include maintaining an inventory of information systems, categorizing information according to risk level, maintaining a system security plan that covers the security controls implemented within the organization and a timetable for the introduction of further controls, conducting continuous monitoring, certification and accreditation, risk assessment, and security controls.

An organization’s failure to meet the necessary FISMA requirements or NIST standards can lead to a breach of data, loss of ability to process or handle third-party data, loss of business customers or partners, and regulatory fines.

FISMA compliance levels

In cases where a loss of confidentiality, integrity, and availability can occur, organizations must determine the potential impact in accordance with the FISMA compliance levels are either low, moderate, or high impact. FISMA levels are closely aligned with FedRAMP levels of compliance:

  • Low impact: Limited adverse effects on organizational operations, assets, or individuals, such as minor damage to organization assets or minor harm to individuals or minimal financial loss.

  • Moderate impact: Serious adverse effects to organization operations, assets, or individuals, such as significant damage to organizational assets or financial loss or harm to individuals.

  • High impact: Catastrophic impacts to organization operations, assets, or individuals, such as loss of life or life-threatening injuries to individuals or financial loss or major damage to organizational assets.


FISMA’s goal is to protect government assets from unauthorized access and destruction of information and information systems delivered through traditional on-premises deployments. FISMA offers guidelines for government agencies on how to ensure that data is protected. To achieve this goal, FISMA uses NIST SP 800-53A as its primary framework for its vendors to become FISMA-compliant. FISMA-compliant vendors receive authority to operate (ATO) from agencies with whom they do business.

FedRAMP offers guidelines and aims to make the cloud service provider (CSP) procurement easier on agencies. As FedRAMP inherits the NIST baseline controls, think of it as FISMA for cloud. Because of the overlap between FedRAMP and FISMA security controls, a service or solution that’s FedRAMP-compliant can be FISMA-compliant as well.

Where OCI comes in

Oracle Government Cloud offerings have achieved FedRAMP high JAB accreditation, joined by the infrastructure and platform services generally available in those regions. Oracle Cloud US Government regions provide an excellent platform to host a service or organization seeking FISMA compliance by reducing effort by applying Oracle government cloud’s FedRAMP accreditations.

Oracle’s dedicated compliance team is poised to help customers in pursue of FISMA compliance using products like Oracle Cloud for Government and a rich suite of software- and platform-as-a-service offerings, software applications, tools, and multidecade experience of supporting the US Department of Defense.

For more information, see the following resources:

Aditya Uppu

Solution Architect, Oracle Cloud Infrastructure - Public Sector

Aditya is a Solution Architect with experience in designing business solutions for a wide variety of customers such as Independent Software Vendor,Health Care life Sciences and Public Sector. Aditya have been in the IT industry for the past 15 years and have extensive experience in systems, storage and database engineering.

Previous Post

Florida International University Makes Waves with Oracle Cloud Infrastructure

Mary Olson | 3 min read

Next Post

Non-CDB to PDB conversion on ExaCS using dbaascli

Vivek Verma | 6 min read