Federal Information Security Management Act (FISMA) Data

The Federal Information Security Management Act (FISMA) requires federal agencies and those providing services on their behalf to develop, document, and implement security programs for information technology systems and store the data on U.S. soil. This means that, under some federal contracts or grants, information the university collects or information systems that he university uses to process or store research data need to comply with FISMA.

Whether data is regulated by FISMA is typically called out in a Request for Proposal (RFP) or in contract or grant language. It is important that researchers review grant and contract language closely to identify FISMA or other information security requirements.

Frequently Used by: 

Faculty
Staff
Researchers

Category: 

Sensitive

Examples: 

Examples of research work that might be regulated by FISMA include research in which data is provided by federal organizations such as:

  • National Institutes of Health
  • NASA
  • Department of Veterans Affairs

Andrew File System (AFS): 

Not Permitted

Blue Jeans Video Conferencing: 

Not Permitted

Canvas: 

Not Permitted

Cloud Storage Included with Software: 

Not Permitted

CTools: 

Not Permitted

Data Warehouse: 

Not Permitted

Desktop Backup (Powered by CrashPlan): 

Permitted

Desktop Virtualization (VDI): 

With Approval

Digital Signage: 

Not Permitted

Echo360 - Lecture Capture and LectureTools: 

Not Permitted

eResearch: 

Not Permitted

Flux: 

Not Permitted

Globus: 

Not Permitted

ITS Exchange Email and Calendar: 

Not Permitted

M Cloud - Amazon Web Services GovCloud: 

Permitted

M Cloud Amazon Web Services (AWS): 

Permitted

M+Box Additional Apps (Non-Core): 

Not Permitted

M+Box Core Apps: 

Not Permitted

M+Google Additional Services (Non-Core): 

Not Permitted

M+Google Drive: 

Not Permitted

M+Google Mail and Calendar: 

Not Permitted

M+Google Sites, Talk/Hangouts, Groups, Tasks, Classroom: 

Not Permitted

MiDatabase: 

Not Permitted

MiServer: 

Not Permitted

MiShare: 

Not Permitted

MiStorage (for Some Sensitive Data) with CIFS: 

Not Permitted

MiStorage with NFS: 

Not Permitted

MiVideo: 

Not Permitted

MiWorkspace: 

Not Permitted

Personal Accounts (Dropbox, OneDrive, iCloud, etc.): 

Not Permitted

Personally Owned Devices (phone, tablet, laptop, etc.): 

Not Permitted

Qualtrics: 

Not Permitted

ServiceLink: 

Not Permitted

Sitemaker: 

Not Permitted

Statistics and Computation Service: 

Not Permitted

MiBackup: 

Not Permitted

Turbo Research Storage with NFS: 

Not Permitted

Turbo Research Storage (for Some Sensitive Data) with NFSv4+Kerberos: 

Not Permitted

UMHS Exchange/Outlook Email and Calendar: 

Not Permitted

Virtualization as a Service (VaaS): 

Not Permitted

Armis: 

Not Permitted