Federal Information Security Management Act (FISMA) Data

The Federal Information Security Management Act (FISMA) requires federal agencies and those providing services on their behalf to develop, document, and implement security programs for information technology systems and store the data on U.S. soil. This means that, under some federal contracts or grants, information the university collects or information systems that the university uses to process or store research data need to comply with FISMA.

Whether data is regulated by FISMA is typically called out in a Request for Proposal (RFP) or in contract or grant language. It is important that researchers review grant and contract language closely to identify FISMA or other information security requirements.

Frequently Used by: 
Faculty
Staff
Researchers
Category: 
Sensitive
Examples: 

Examples of research work that might be regulated by FISMA include research in which data is provided by federal organizations such as:

  • National Institutes of Health
  • NASA
  • Department of Veterans Affairs
Andrew File System (AFS): 
Not Permitted
Blue Jeans Video Conferencing: 
Not Permitted
Canvas: 
Not Permitted
Cloud Storage Included with Software: 
Not Permitted
CTools: 
Not Permitted
Data Warehouse: 
Not Permitted
Desktop Backup (Powered by CrashPlan): 
Permitted
Desktop Virtualization (VDI): 
With Approval
Digital Signage: 
Not Permitted
Echo360 - Lecture Capture and LectureTools: 
Not Permitted
eResearch: 
Not Permitted
Flux: 
Not Permitted
Globus: 
Not Permitted
ITS Exchange Email and Calendar: 
Not Permitted
M Cloud - Amazon Web Services GovCloud: 
Permitted
M Cloud Amazon Web Services (AWS): 
Not Permitted
Box Additional Apps (Non-Core): 
Not Permitted
Box at U-M Core Apps: 
Not Permitted
Google Additional Services (Non-Core): 
Not Permitted
Google Drive at U-M: 
Not Permitted
Google Mail and Calendar at U-M and Inbox by GMail: 
Not Permitted
Google Sites, Talk/Hangouts, Groups, Tasks, Classroom at U-M: 
Not Permitted
MiDatabase: 
Not Permitted
MiServer: 
Not Permitted
MiShare: 
Not Permitted
MiStorage (for Some Sensitive Data) with CIFS: 
Not Permitted
MiStorage with NFS: 
Not Permitted
MiVideo: 
Not Permitted
MiWorkspace: 
Not Permitted
Personal Accounts (Dropbox, OneDrive, iCloud, etc.): 
Not Permitted
Personally Owned Devices (phone, tablet, laptop, etc.): 
Not Permitted
Qualtrics: 
Not Permitted
ServiceLink: 
Not Permitted
Statistics and Computation Service: 
Not Permitted
MiBackup: 
Not Permitted
Turbo Research Storage with NFS: 
Not Permitted
Turbo Research Storage (for Some Sensitive Data) with NFSv4+Kerberos or CIFS: 
Not Permitted
UMHS Exchange/Outlook Email and Calendar: 
Not Permitted
Virtualization as a Service (VaaS): 
Not Permitted
Armis: 
Not Permitted
Imaging Services: 
Not Permitted

Don't see the service you need? Contact the ITS Service Center.