The Federal Information Systems Security Act of 2002 (FISMA) establishes responsibility and accountability for the security of all federal agency information systems.
The purpose of this memorandum is to provide OHSU users with guidance for responding to inquiries regarding OHSU’s compliance with FISMA. OHSU is not a federal agency and is, therefore, not explicitly subject to FISMA. OHSU is, however, subject to other legislation that requires similar reasonable information security safeguards.
The purpose of this memorandum is to communicate Oregon Health & Science University’s enterprise security control baselines with regard to FISMA. Although OHSU is not a federal agency and, therefore, not explicitly subject to FISMA, we have undertaken an evaluation of our existing information privacy and security program versus the standards defined in National Institute for Standards and Technology (NIST) Special Publication 800-53, Revision 4.