NIST Compliance

The National Institute of Standards and Technology (NIST) produces, among other things, a series of documents known as Special Publications (SP). The NIST SP 800 series deal with computer security, and NIST 800-53 revision 4, Security and Privacy Controls for Federal Information Systems and Organizations details information security/privacy controls which must be in place for information systems in the US Federal government. There are other 800-series documents which cover elements of information security including risk management (SP 800-37 revision 1 and SP 800-30, revision 1), and business continuity/contingency planning (SP 800-34 revision 1).

Why is NIST Important? FISMA

The Federal Information Security Management Act of 2002 (FISMA) and Federal Information Security Modernization Act of 2014 (also FISMA, which enhances and clarifies the original law) require US Government agencies to implement information security controls using a federal risk based approach to information security assessment. Each agency must report their compliance annually to the Office of Management and Budget (OMB), and the primary framework in use for FISMA compliance is detailed in NIST SP 800-53. Therefore, you must be compliant with NIST standards and guidelines in order to meet annual FISMA compliance requirements. Information systems managed by non-governmental bodies (such as contracting firms or public companies) on behalf of US Government agencies may also be required to report their compliance against FISMA.