Question from Prospect – How does FISMA relate to NIST?

How does FISMA relate to NIST? This question has relevance to many organizations, so we wanted to share the response.  We’ll start with explaining the terms within this question.

FISMA is the Federal Information Security Management Act of 2002.  FISMA requires each federal agency to develop, document and implement an agency-wide cyber security program

NIST is the National Institute of Standards and Technology.  NIST’s role is to develop information security standards or FIPS (Federal Information Processing Standards) and guidelines call Special Publications (SPs) that categorize types of information and provide guidelines to protect them.

NIST is also responsible to review and vet the FISMA the security standards to insure that they are technically correct and implementable by  federal agencies.  The review process includes feedback from public and private sector who may be affected, NIST’s own internal review, and outreach to cyber security professionals.

Does NIST only relate to FISMA compliance?  Not at all.  NIST Special Publication 800-53 and the NIST Cybersecurity Framework form the basis for many other compliance requirements, including CJIS, PCI, HIPAA and 23 NYCRR 500.  Even if you do not fall under any compliance mandates, these publications are available to you to assist you in developing a cyber security program of your own.  Foresite typically uses NIST as our framework to evaluate the cybersecurity maturity of clients who don’t have compliance mandates.

Do you have a question for our cybersecurity and compliance team?  Please submit here for a personal response, and we may share it in a future blog.


Sign up for our Newsletter

Receive weekly emails for the latest cybersecurity news

Expand your team with Foresite

Enterprise-level cybersecurity and risk management for mid-sized businesses. Prioritize your security tasks and reduce the complexity of cybersecurity.