What Is FISMA?
The Federal Information Security Modernization Act of 2014 (FISMA) is the primary federal law governing information security for federal agencies and the systems that support them. FISMA at 44 U.S.C. §3551 et seq. requires every federal agency to develop, document, and implement an agency-wide information security program that protects the information and information systems that support the operations and assets of the agency. Media disposal is a mandatory component of that program.
Governing statute: Federal Information Security Modernization Act of 2014 (FISMA), 44 U.S.C. §3551 et seq., Public Law 113-283
Predecessor: Federal Information Security Management Act of 2002 (FISMA 2002), substantially modernized by the 2014 act
Primary implementation guidance: NIST SP 800-53 Rev 5 (security controls), NIST SP 800-88 r2 (media sanitization), FIPS 199 (security categorization)
Oversight: Office of Management and Budget (OMB) — policy oversight; CISA (Cybersecurity and Infrastructure Security Agency) — operational coordination; NIST — standards development
Annual reporting: Each agency head reports FISMA compliance annually to OMB and Congress
FISMA itself does not define specific technical methods for media sanitization. Instead, it requires agencies to implement security controls based on NIST guidance. The applicable NIST standard for media disposal is NIST SP 800-88 r2, which every federal agency is required to follow when sanitizing or disposing of media that contains federal information.
What FISMA Requires for Media Disposal
FISMA’s media disposal requirements flow through the NIST SP 800-53 Rev 5 control catalog, specifically the Media Protection (MP) family. NIST SP 800-88 r2 is the technical standard that implements these controls for federal agencies.
Control MP-6: Media Sanitization (NIST SP 800-53 Rev 5)
NIST Control: MP-6 (Media Sanitization)
What it requires: The organization sanitizes information system media, both digital and non-digital, prior to disposal, release out of organizational control, or release for reuse.
Applicable sanitization standard: NIST SP 800-88 r2 — the method must match the media type and the security categorization of the system.
MP-6 Enhancement (1) — Review, Approve, Track, Document, Verify: Agencies must review, approve, track, document, and verify media sanitization and disposal actions.
MP-6 Enhancement (2) — Equipment Testing: Agencies must test sanitization equipment and procedures to verify correct performance annually.
Control MP-7: Media Use (NIST SP 800-53 Rev 5)
NIST Control: MP-7 (Media Use)
What it requires: The organization restricts the use of certain types of information system media on information systems or system components.
Relevance to disposal: Restricted media that is removed from service must be sanitized per MP-6 requirements before disposal.
Control MP-8: Media Downgrading (NIST SP 800-53 Rev 5)
NIST Control: MP-8 (Media Downgrading)
What it requires: The organization establishes a downgrading process for information system media that includes verification of downgrading actions.
Relevance to disposal: Classified or high-sensitivity media being moved to a lower classification level requires documented downgrading before disposal or reuse.
FIPS 199 Security Categorization
Standard: FIPS Publication 199 (Standards for Security Categorization of Federal Information and Information Systems)
What it does: Assigns information systems a security category of Low, Moderate, or High based on the potential impact of a breach of confidentiality, integrity, or availability.
Relevance to disposal: The FISMA security category determines the required sanitization level under NIST SP 800-88 r2. Low-categorization systems permit Clear-level disposal for reuse. High-categorization systems require Destroy-level disposal for final disposition.
How Data Destruction Inc. Satisfies FISMA Requirements
Data Destruction Inc. provides federal agency data destruction services that satisfy NIST SP 800-53 Rev 5 control MP-6 through documented NIST SP 800-88 r2 Destroy-level physical destruction.
| NIST 800-53 Control | DDI Service | NIST r2 Category | Federal audit evidence |
|---|---|---|---|
| MP-6 (disposal) | Hard drive shredding | Destroy (§3.1.3) | Certificate of Destruction with r2 section + serialized inventory |
| MP-6 (disposal) | Hard drive crushing | Destroy (§3.1.3) | Certificate of Destruction with r2 section + serialized inventory |
| MP-6 (reuse) | Data wiping | Clear/Purge (§3.1.1/§3.1.2) | Certificate of Destruction + wipe report |
| MP-6 + witness | Witnessed destruction | All categories | CoD + signed witness page + chain-of-custody log |
| MP-6 Enhancement (2) | Documented destruction procedures | N/A | Service agreement specifying NIST 800-88 r2 methods |
The Certificate of Destruction issued by Data Destruction Inc. documents every required element of MP-6 compliance: media type, sanitization method, NIST SP 800-88 r2 category and section, serialized asset inventory (one entry per device), date and location, technician name and signature, and witness signature. These certificates satisfy the “review, approve, track, document, and verify” requirement of MP-6 Enhancement (1).
Who Must Comply with FISMA?
FISMA applies to federal agencies and to certain categories of contractors and third parties.
Federal agencies (mandatory): All federal executive branch agencies must implement FISMA-compliant information security programs. This includes departments, agencies, offices, and commissions of the executive branch of the federal government.
Federal contractors: Organizations that operate federal information systems under a contract or agreement with a federal agency must comply with the same FISMA requirements as the agency itself, as specified in the contract. A contractor managing an agency’s IT infrastructure is subject to the same MP-6 media sanitization requirements as the agency.
State and local governments receiving federal grants or operating systems on behalf of federal programs may be subject to FISMA-aligned requirements under the conditions of the grant or agreement.
Military components: DoD components follow FISMA but implement it through DoD Instruction 8500.01 and related policy, with CMMC adding contractor-side requirements. The underlying NIST standards (SP 800-88 r2, SP 800-53 Rev 5) apply across both civilian and defense contexts.
FISMA Audit Process and Media Disposal Findings
FISMA requires annual reporting from each agency to OMB and Congress. Agency Inspectors General (IGs) conduct independent FISMA evaluations. Media disposal is a recurring finding category in FISMA audits.
Annual FISMA report: Each agency submits an annual FISMA report to OMB covering security status, vulnerabilities, and corrective action plans. OMB publishes a consolidated annual FISMA report to Congress.
IG evaluations: Agency IGs evaluate the effectiveness of the agency’s information security program independently. IG FISMA evaluations frequently include testing of media sanitization practices.
Common FISMA media disposal audit findings: media disposed of without documented sanitization (no Certificate of Destruction); sanitization method did not match NIST SP 800-88 r2 requirements for the media type; no serialized inventory of destroyed assets; sanitization equipment not tested annually (missing MP-6 Enhancement (2) compliance); and end-of-life media stored in unsecured locations rather than being sanitized.
Consequence of a finding: An IG finding that an agency failed to follow NIST SP 800-88 r2 for media disposal results in a Material Weakness in the agency’s FISMA report. Material Weaknesses are reported to Congress and require a documented corrective action plan with a specific remediation timeline.
Media Disposal Requirements by FIPS 199 Security Category
Under FISMA, the required sanitization level depends on the FIPS 199 security category of the information system. High-categorization systems require Destroy-level disposal for final disposition. Use this matrix to match the system category to the correct NIST SP 800-88 r2 method.
| FIPS 199 Category | Examples | NIST r2 Category for Final Disposal | DDI Method |
|---|---|---|---|
| Low | Public information systems, internal communication tools | Clear (§3.1.1) acceptable for reuse; Destroy for final disposal | Data wiping or shredding |
| Moderate | Federal employee HR systems, grant management, benefits systems | Purge (§3.1.2) or Destroy (§3.1.3) for final disposal | Shredding / crushing |
| High | Law enforcement databases, intelligence systems, financial clearinghouses | Destroy (§3.1.3) required for permanent disposal | Witnessed shredding with CoD |
| All categories — SSDs | Any SSD or NVMe storage regardless of system category | Destroy (§3.1.3) or Purge via CE (§3.1.2 + §3.2) | Shredding (CE requires §3.2 verification) |
| All categories — reuse | Any media reassigned within the same agency | Clear (§3.1.1) within same boundary; Purge if leaving boundary | Data wiping with wipe report |
Standards and Frameworks That Implement FISMA Requirements
FISMA does not define its own technical methods. It directs agencies to implement NIST standards. The following standards, policies, and frameworks form the FISMA compliance stack for media disposal. A documented NIST SP 800-88 r2 Destroy-level process satisfies all of them simultaneously.
NIST SP 800-88 r2
The technical standard implementing FISMA NIST SP 800-53 Rev 5 control MP-6
CMMC 2.0
DoD contractors face both FISMA (civilian contracts) and CMMC (DoD contracts) requirements
DoD NISPOM (32 CFR Part 117)
Defense contractors handling classified media follow NISPOM aligned with FISMA/NIST 800-88 r2
HIPAA Disposal Rule
Federal healthcare agencies face both FISMA and HIPAA disposal obligations simultaneously
ISO 27001 / 27040
Federal agencies with international operations may align FISMA controls with ISO Annex A.7.14
Authoritative Source and Official Regulation
FISMA · Federal Information Security Modernization Act of 2014, 44 U.S.C. §3551 et seq.
Current: FISMA 2014, Public Law 113-283 — implementing guidance via NIST SP 800-53 Rev 5
Annual OMB FISMA report and agency IG evaluations govern enforcement. Monitor NIST csrc.nist.gov for SP 800-53 and SP 800-88 updates that affect FISMA implementation.
Frequently Asked Questions
Does FISMA require a specific destruction method for federal media?
FISMA itself does not specify methods. It requires agencies to follow NIST guidance. The applicable NIST standard is NIST SP 800-88 r2, which defines Clear, Purge, and Destroy methods by media type and security category. For federal information systems categorized as Moderate or High under FIPS 199, Destroy-level disposal (physical shredding or crushing) is the standard method for permanent disposal.
Does FISMA apply to federal contractors?
Yes. Federal contractors that operate federal information systems under agency contracts must implement the same FISMA controls as the agency itself. The contract specifies the applicable security requirements. A contractor managing federal servers, data centers, or IT infrastructure must sanitize decommissioned media per NIST SP 800-88 r2 and provide the agency with the documentation required for FISMA MP-6 compliance.
What documentation does a FISMA audit require for media disposal?
A FISMA audit evaluating MP-6 compliance looks for: a written media sanitization policy, a log of all media sanitized or destroyed (serialized, with dates and methods), evidence that the sanitization method matched NIST SP 800-88 r2, and annual testing records for sanitization equipment. The Certificate of Destruction from Data Destruction Inc. satisfies the destruction event documentation requirement. The service agreement with DDI satisfies the written policy component for contracted disposal.
What is the relationship between FISMA and CMMC?
FISMA governs civilian federal agencies and their contractors. CMMC governs defense contractors specifically. Both frameworks require media sanitization per NIST SP 800-88 r2 and both use NIST SP 800-53 Rev 5 as the control framework. CMMC adds a third-party assessment requirement (C3PAO) for Level 2 contractors that FISMA does not require for civilian contractors. A defense contractor may face both FISMA requirements (through a federal contract) and CMMC requirements (through a DoD contract) simultaneously.
Who oversees FISMA compliance for federal agencies?
OMB sets FISMA policy and reviews agency reports. CISA provides operational coordination, including incident response support and assessment tools. Agency Inspectors General conduct independent evaluations. NIST develops the technical standards (SP 800-53 Rev 5, SP 800-88 r2) that implement FISMA requirements. For civilian agencies, the agency CIO is accountable for the agency’s FISMA posture. For DoD, the DoD CIO oversees FISMA compliance across the military departments.