FISMA is the Federal Information Security Modernization Act of 2014, 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283. FISMA requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

The FISMA Implementation Project was established in January 2003 to produce several key security standards and guidelines required by the FISMA legislation. As a key element of the FISMA Implementation Project, NIST also developed additional guidance (in the form of Special Publications) and a Risk Management Framework which effectively integrates all of NIST’s FISMA-related security standards and guidelines in order to promote the development of comprehensive, risk-based, and balanced information security programs by federal agencies. The ultimate objective of the Risk Management Framework and the associated publications is to enable agencies to conduct the day-to-day operations of the agency and to accomplish the agency's stated missions with adequate security, or security commensurate with risk, including the magnitude of harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information. The Risk Management Framework and the associated publications are available on the SP 800 publications page.

FISMA reaffirmed NIST’s role of developing information security standards (Federal Information Processing Standards) and guidelines (Special Publications in the 800-series) for non-national security federal systems and assigned NIST some specific responsibilities, including the development of:

• Standards to be used by Federal agencies to categorize information and systems based on the objectives of providing appropriate levels of information security according to a range of risk levels;
• Guidelines recommending the types of information and systems to be included in each category; and
• Minimum information security requirements (management, operational, and technical security controls) for information and systems in each such category.

NIST employs a comprehensive public review process on every FISMA standard and guideline to ensure the security standards and guidelines are of the highest quality—that is, technically correct and implementable. NIST actively solicits and encourages individuals and organizations in the public and private sectors to provide feedback on the content of each of the FISMA publications. In most cases, the FISMA security publications go through three full public vetting cycles providing an opportunity for individuals and organizations to actively participate in the development of the standards and guidelines. NIST also works closely with owners, operators, and administrators of systems within NIST to obtain real-time feedback on the implementability of the specific safeguards and countermeasures (i.e., security controls) being proposed for federal systems. Finally, NIST has an extensive outreach program that maintains close contact with security professionals at all levels to ensure important feedback can be incorporated into future updates of the security standards and guidelines. The combination of an extensive public review process for standards and guideline development, the experience in prototyping and implementing the safeguards and countermeasures in the systems owned and operated by NIST, and the aggressive outreach program that keeps NIST in close contact with its constituents, produces high-quality, widely accepted security standards and guidelines that are not only used by the federal government, but are frequently adopted on a voluntary basis by many organizations in the private sector.

Prioritizing security controls in the baselines recommended by NIST would place emphasis on selected security controls at the expense of other, equally important controls. In addition, providing public prioritization of baseline security requirements and controls would give threat agents and adversaries important information which would be damaging to federal agencies in giving visibility into their protection strategies. The approach recommended by NIST, centered around the Risk Management Framework, provides federal agencies with a disciplined, structured, and flexible process to select appropriate security controls for their systems, a methodology to determine the effectiveness of those controls, and visibility into the residual risks to the organization’s operations and assets, individuals, other organizations (partnering with the organization), and the Nation. The deployment of security controls uses a defense-in-depth approach which combines management, operational, and technical safeguards and countermeasures to address all aspects of the threat space. The balanced approach to control selection and deployment recognizes that technology alone cannot protect federal systems. Federal agencies require a holistic approach to protecting critical missions and business functions which includes people, processes, and technology working together in a complementary and mutually reinforcing manner.

No. FISMA compliance requires the thoughtful selection and employment of stringent security controls for federal systems using a risk-based approach to protect critical federal missions and business functions. In addition to technology-based controls such as access control, identification and authentication, audit and accountability, encryption, and system and communications protection, there are also management and operational controls that address important security areas such physical security, personnel security, continuity of operations, awareness and training, incident response, security planning, system integrity, and acquisition. Developing sound security policies and procedures is a critical aspect of building an effective information security program. Security policies, while administrative in nature, demonstrate in clear and unequivocal teams, senior management’s commitment to information security and protecting the organization’s operations (mission, functions, image, and reputation) and assets, individuals, other organizations, and the Nation. Security procedures provide the necessary details for the organization’s security professionals to effectively implement the security policies. Effective policies and procedures, in conjunction with technology-based security controls, provide a defense-in-depth and holistic approach to information security and managing organizational risk from systems. In addition to the above, there are specific management controls that require an assessment of the controls in organizational systems to determine overall effectiveness. The determination of security control effectiveness provides critical information to senior leaders/executives needed to make credible risk-based decisions for the authorization (accreditation) of systems.

Yes. There are many emerging automated support tools that can help federal agencies implement and assess security controls necessary for FISMA compliance. Many of the technical security controls in NIST Special Publication 800-53 (Rev. 4) that have security configuration settings can benefit from the automated testing procedures being developed under the multi-agency Information Security Automation Program using the Security Content Automation Protocol.  Automated support tools for the management and reporting of FISMA-related information are also available under the Department of Homeland Security Information Systems Security Line of Business initiative. 

Many organizations and individuals have a role in determining FISMA compliance. Congress establishes top-level security requirements for federal agencies and support contractors in the FISMA legislation. NIST develops the security standards and guidelines necessary for FISMA implementation including a risk-based approach for selecting, implementing, and assessing security controls for federal systems and for determining risk to organizational operations and assets, individuals, other organizations, and the Nation. Agency heads, in coordination with their Chief Information Officers and Senior Agency Information Security Officers report the security status of their systems to OMB in accordance with annual FISMA reporting guidance. Inspectors General provide an independent assessment of the security status of federal systems, also reporting results to OMB annually.

Yes. There is a strong reference to FISMA in the FAR. The FAR link is provided at: http://www.acquisition.gov/far. Page 7.1-2, FAR Section 7.103 states:

"Agency-head responsibilities--- The agency head or a designee shall prescribe procedures for ensuring that agency planners on information technology acquisitions comply with the information technology security requirements in the Federal Information Security Management Act (44 U.S.C. 3544), OMB's implementing policies including Appendix III of OMB Circular A-130, and guidance and standards from the Department of Commerce's National Institute of Standards and Technology."

Therefore, the FAR points to FISMA, OMB Circular A-130, and the security standards and guidance developed by the National Institute of Standards and Technology at the Department of Commerce. The NIST security standards and guidance can be found on the Computer Security Division web site at http://csrc.nist.rip with specific information on the FISMA Implementation Project webpage.

No. NIST does not offer or endorse any program or tool nor does NIST determine cost estimations for certification or compliance with NIST's suite of risk management guidance.  

Any specific DoD Risk Management Framework or DIACAP, or DoD Form 2390 or eMass questions should be directed to the DoD Risk Management Framework Knowledge Service (RMFKS) at osd.rmftag-secretariat@mail.mil.  For additional program information go to https://rmfks.osd.mil (a valid DoD CAC card will give you access to this knowledge base)

NIST does not provide printed copies of publications.  NIST publications are not subject to copyright in the US.  Organizations are free to print out copies of these publications.

Yes. Organization are allowed to translate NIST publications; NIST publications are not subject to copyright in the US, however, attribution would be appreciated by NIST. For other publication types linked from the NIST website (e.g., white papers, journal articles, conference papers, and books) that are published by non-NIST entities, please confirm with those entities separately. 

No, NIST does not have or provide templates for the steps (Prepare, Categorize, Select, Implement, Assess, Authorize and Monitor) of the RMF, as the RMF is a risk-based process. How each organization plans for and estimates resource needs will vary, and it is not within the scope of our information security research.  

There will not be a third comment period for SP 800-53. In most cases, NIST traditionally has one or two public comment periods for its publications.

The DOD Cybersecurity Maturity Model Certification (CMMC) utilizes the publicly available security controls in draft NIST SP 800-53, Revision 5. NIST is not involved in the design, development, or implementation of the CMMC model, accreditation body, or certification. For information about the CMMC program, please see: https://www.acq.osd.mil/cmmc/ Specific questions about the CMMC should be directed to the CMMC Program.

NIST does not have a role in implementation, assessment, or oversight of the Defense Federal Acquisition Regulation Specification (DFARS) Clause 252.204-7012. The following resources are available from the Department of Defense (DoD):

• Procurement Technical Assistance Program (PTAP) and Procurement Technical Assistance Centers (PTACs)
• Nationwide network of centers/counselors experienced in government contracting, many of which are affiliated with Small Business Development Centers and other small business programs
• Cybersecurity in DoD Acquisition Regulations page at for Related Regulations, Policy, Frequently Asked Questions, and Resources (June 26, 2017)
• DPAP Website for DFARS, Procedures, Guidance and Information (PGI), and Frequently Asked Questions
• DoDI 5230.24, Distribution Statements on Technical Documents
• DoD’s Defense Industrial Base Cybersecurity program (DIB CS Program)

Questions about the DFARS can be submitted to: osd.dibcsia@mail.mil

NIST will release the following mappings as Supplemental Materials pending the final publication of SP 800-53, Revision 5:

• Mappings to ISO 27001 and ISO 15408
• Mappings to the NIST Cybersecurity Framework and Privacy Framework

Additional mappings are not planned at this time; NIST encourages the relevant communities of interest to develop applicable mappings and resources.

We do not have a red-lined document comparing the Initial Public Draft (IPD) released in August 2017 and the Final Public Draft (FPD) released in March 2020, and there is no mapping between the controls in Revision 4 and Revision 5 (FPD)

There are multiple differences between the IPD and the FPD of NIST SP 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations. (https://csrc.nist.rip/external/nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5-draft.pdf), including but not limited to:

• Addition of Supply Chain Risk Management Family (most of the controls in this family are derived from SA-12, Supply Chain Protection, in NIST SP 800-53 Revision 4)
• Consolidation of two privacy families and controls (August 2017: 2 privacy-focused families, Individual Participation and Privacy Authorization) into a single family (March 2020: 1 privacy-focused family, Personally Identifiable Information Processing and Transparency) • Updates of references and terminology to reflect current NIST publications and federal regulatory guidelines
• Relocation of multiple appendices (e.g., control baselines, tailoring considerations) into future NIST SP 800-53B Control Baselines and Tailoring Guidance for Federal Information Systems and Organizations.

Also on the NIST SP 800-53, Revision 5 publication page (https://csrc.nist.rip/publications/detail/sp/800-53/rev-5/draft) underneath “Supplemental Material,” you will find a document detailing significant changes between NIST SP 800-53 Revision 4 and NIST SP 800-53, Revision 5 FPD.

Attendees are encouraged to self-report training credits to their certifying authority.

The International Association of Privacy Professionals (IAPP) has approved up to 2 CPE credits for attending this virtual event. Refer to original event page for additional information https://go.usa.gov/xd7Vq.

A link to a spreadsheet containing draft SP 800-53, Revision 5 controls can be found on the publication's page at: https://csrc.nist.rip/publications/detail/sp/800-53/rev-5/draft

CSV versions of the current SP 800-53 and SP 800-53A Revision 4 can be found on the SP 800-53 database at: https://nvd.nist.gov/800-53

Please note that efforts are underway to integrate OSCAL into the development of 800-53 data sets.

The NIST Open Security Controls Assessment Language (OSCAL) team can be reached at: https://pages.nist.gov/OSCAL/contribute/contact/

For more information on the OSCAL project at nist, visit: https://nist.gov/oscal

The selection and implementation of controls is a risk-based process for the implementing organization that takes into account many factors (i.e., the organizational risk management strategy, risk tolerance, mission/business functions, types of information and systems, threats and vulnerabilities to the system and organization).

We encourage communities of interest to consider developing overlays for specific information technology areas or for unique circumstances/environments. Overlays provide an opportunity to build consensus across communities of interest and develop security plans for organizational systems that have broad-based support for very specific circumstances, situations, and/or conditions. To support development and sharing of overlays, NIST provides the NIST Security Control Overlay Repository (SCOR)
https://csrc.nist.rip/Projects/risk-management/scor, a platform for stakeholders to voluntarily share security control overlays.

NIST Interagency Report (NISTIR) 8011, Automation Support for Security Control Assessments, provides guidance to support automated assessment of most of the security controls in NIST SP 800-53, which may assist in the development of automation tools to implement and/or review control implementations. For more information: NISTIR 8011 Volume 1: Overview [https://csrc.nist.rip/publications/detail/nistir/8011/vol-1/final]; Volume 2: Hardware Asset Management [https://csrc.nist.rip/publications/detail/nistir/8011/vol-2/final]; Volume 3: Software Asset Management [https://csrc.nist.rip/publications/detail/nistir/8011/vol-3/final]; and Volume 4: Software Vulnerability Management (releasing in April 2020).

• Does an implementation collaboration index for each control provide meaningful guidance to both privacy and security professionals? If so, how? If not, what are potential issues and concerns?
• Which option (3-gradient scale or 5-gradient scale) is preferred and why?
• Are there other recommendations for a collaboration index?
• Are there recommendations on other ways to provide more guidance on collaboration?
• Are there recommendations for how the collaboration index should be integrated with the controls? For example, should the collaboration index be included as an Appendix to SP 800-53, included as a section of the control, included in related publication, or some other method?