Federal information security management act, FISMA

4.1.9 Federal Information Security Management Act

All information systems, electronic or hard copy which contain Federal data need to be protected from unauthorized access. This also applies to information associated with NIH grants and contracts. Congress and the OMB have instituted laws, policies and directives that govern the creation and implementation of federal information security practices that pertain specifically to grants and contracts. The current regulations are pursuant to the Federal Information Security Management Act (FISMA), 44 U.S.C. 3541 et seq. The applicability of FISMA to NIH recipients applies only when recipients collect, store, process, transmit or use information on behalf of HHS or any of its component organizations. In all other cases, FISMA is not applicable to recipients of grants, including cooperative agreements. The recipient retains the original data and intellectual property, and is responsible for the security of this data, subject to all applicable laws protecting security, privacy, and research. If and when information collected by a recipient is provided to HHS, responsibility for the protection of the HHS copy of the information is transferred to HHS and it becomes the agency's responsibility to protect that information and any derivative copies as required by FISMA.