Which legislative act requires minimum controls for federal information systems?

The Federal Information Security Modernization Act (FISMA) is the legislative act that establishes a comprehensive framework to protect government information, operations, and assets against natural or man-made threats. Enacted in 2002 and updated in 2014, FISMA requires federal agencies to develop, document, and implement an information security program that includes minimum security controls. This includes conducting risk assessments, implementing security measures, and continuously monitoring security practices. The primary goal of FISMA is to ensure the security and integrity of federal information systems, making it pivotal for establishing oversight and accountability in managing cybersecurity risks.

Other acts and programs, while important in their own rights, serve different purposes. For instance, HIPAA focuses on the protection of health information privacy and security, but it does not specifically address broader federal information systems. FedRAMP is designed to standardize security assessments for cloud services but is not a legislative act like FISMA. OMB Circular A-130 provides guidance on managing federal information resources, including security, but it does not establish the same legal requirements or minimum controls set forth by FISMA. Thus, FISMA is the clear choice for setting the legislative framework for minimum controls for federal information systems.