The Program Review for Information Security Assistance (PRISMA) project was last updated in 2007; NIST Interagency Report (IR) 7358 and the corresponding PRISMA tool continue to serve as useful resources for high-level guidance and as a general framework, but may not be fully consistent with changes to requirements, standards and guidelines for securing information systems. NIST will review and determine next steps to best support and potentially update the PRISMA content in 2022. For any questions or comments, please contact sec-cert@nist.gov.
The Program Review for Information Security Management Assistance (PRISMA) includes many review options and incorporates guidelines contained in Special Publication 800-53 (Revision 3), Recommended Security Controls for Federal Information Systems. The PRISMA is based upon existing federal directives including Federal Information Security Management Act (FISMA), NIST guidelines and other proven techniques and recognized best practices in the area of information security.
PRISMA provides an independent review of the maturity of an agency's information security program. The review is based upon a combination of proven techniques and best practices and results in an action plan that provides a federal agency with a business case-based roadmap to cost-effectively enhance the protection of their information system assets. The PRISMA review, which is not an audit or an inspection, begins with an assessment of the maturity of the agency's information security program. This includes the agency's information security policies, procedures, and security controls implementation and integration across all business areas. The PRISMA team performs a comparable review of the agency's organizational structure, culture, and business mission. After the assessment is performed, the PRISMA team documents issues identified during the assessment phase and provides corrective actions associated with each issue. These corrective actions are then provided as a prioritized action plan for the agency to use to improve their information security program. The resulting action plan is weighted to provide the agency the greatest improvements, the most cost-effectively. The corrective actions the PRISMA team identifies include the time frame for implementation and the projected resource impact. The action plan can readily be used to develop scopes of work for quick "bootstrapping" of the information security program.
PRISMA incorporates standards from the Federal Information Processing Standards (FIPS), such as FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, and FIPS 200, Minimum Security Requirements for Federal Information and Information Systems. It also incorporates guidelines from many of the NIST Special Publications (SPs) such as Special Publication 800-53 (Revision 3), Recommended Security Controls for Federal Information Systems; existing federal directives including FISMA; and other proven techniques and recognized best practices in the area of information security.
PRISMA focuses on nine primary review areas, each of which were derived from FISMA requirements and guidelines found in SP 800-53. Agencies may choose one of two pre-defined review options.
PRISMA requires evidence of policies, procedures, implementation, testing, and integration of each of the PRISMA criteria. This evidence can be provided in the form of policy and procedure documents, independent assessments of systems, etc.
This NIST Interagency Report 7358 (NISTIR 7358) provides an overview of the Program Review for Information Security Management Assistance (PRISMA) methodology. The PRISMA methodology is a means of employing a standardized approach to review and measure the information security posture of an information security program.
Security and Privacy: assurance, program management