How does FISMA relate to NIST? This question has relevance to many organizations, so we wanted to share the response. We’ll start with explaining the terms within this question.
FISMA is the Federal Information Security Management Act of 2002. FISMA requires each federal agency to develop, document and implement an agency-wide cyber security program
NIST is the National Institute of Standards and Technology. NIST’s role is to develop information security standards or FIPS (Federal Information Processing Standards) and guidelines call Special Publications (SPs) that categorize types of information and provide guidelines to protect them.
NIST is also responsible to review and vet the FISMA the security standards to insure that they are technically correct and implementable by federal agencies. The review process includes feedback from public and private sector who may be affected, NIST’s own internal review, and outreach to cyber security professionals.
Does NIST only relate to FISMA compliance? Not at all. NIST Special Publication 800-53 and the NIST Cybersecurity Framework form the basis for many other compliance requirements, including CJIS, PCI, HIPAA and 23 NYCRR 500. Even if you do not fall under any compliance mandates, these publications are available to you to assist you in developing a cyber security program of your own. Foresite typically uses NIST as our framework to evaluate the cybersecurity maturity of clients who don’t have compliance mandates.
Do you have a question for our cybersecurity and compliance team? Please submit here for a personal response, and we may share it in a future blog.