Try the new CSRC.nist.gov and let us know what you think!
(Note: Beta site content may not be complete.)

View the beta site
NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage

PRISMA Review Option 2

Option two of a PRISMA review focuses on the strategic aspects and the technical aspects of the overall information security program. This option identifies the level of maturity of the information security program and the agency's ability to comply with existing requirements in nine areas. This review includes all the criteria in option one and one additional area of security controls:


Back to Top

Information Security Management and Culture

  • IT Roles and Responsibilities
  • Security Control Review
  • Rules of Behavior and Documentation
  • Personnel Security
  • Risk Management
Back to Top

Information Security Planning

  • System Security Plans
Back to Top

Security Awareness, Training, and Education

  • End Users' Security Awareness and Training
  • Security and IT Professionals' with Trusted Functions Security Awareness and Training
  • Executive and Management Security Awareness and Training
  • Security Awareness and Training Infrastructure
Back to Top

Budget and Resources

  • IT Security Part of Capital Planning Process
  • Adequate Resources Applied to IT Security
  • IT Security Funding Distributed Based Upon a Risk Model
  • Cost-effective IT Security Solutions
  • Procurement Controls
  • Governance Process
  • Systems and Projects Inventory
Back to Top

Life Cycle Managements

  • System Development Life Cycle (SDLC) Methodology
  • Changes Controlled and Tested Through SDLC
  • Security Requirements Definition
Back to Top

Certification and Accreditation


Back to Top

Critical Infrastructure Protection


Back to Top

Incident Response

  • Contingency Planning and Disaster Response
  • Incident Identification, Reporting, and Response
Back to Top

Security Controls

  • Physical and Environmental Program
  • Hardware and Software Maintenance
  • System and Information Integrity
  • Media Protection
  • Identification and Authentication
  • Logical Access Control
  • Accountability (including Audit Trails)
  • System and Communications Protection