The NIST Program Review for Information Security Management Assistance (PRISMA) includes more review options and incorporates guidance contained in Special Publication 800-53, Recommended Security Controls for Federal Information Systems. The PRISMA is based upon existing federal directives including the Federal Information Security Management Act (FISMA), NIST guidance, and other proven techniques and recognized best practices in the area of information security.

A base set of criteria has been developed by NIST to support PRISMA activity and is updated as lessons learned and feedback received at the conclusion of each review.

The PRISMA has three primary objectives:

• To assist agencies in improving their information security programs


• To support Critical Infrastructure Protection (CIP) Planning


• To facilitate exchange of effective security practices within the federal community

The PRISMA provides an independent review of the maturity of an agency's IT security program. The review is based upon a combination of proven techniques and best practices and results in an action plan that provides a federal agency with a business case-based roadmap to cost-effectively enhance the protection of their information system assets. The PRISMA review, which is not an audit or an inspection, begins with an assessment of the maturity of the agency's IT security program. This includes the agency's IT security policies, procedures, and security controls implementation and integration across all business areas. PRISMA team performs a comparable review of the agency's organizational structure, culture, and business mission. After the assessment is performed, the PRISMA team documents issues identified during the assessment phase and provides corrective actions associated with each issue. These corrective actions are then provided as a prioritized action plan for the agency to use to improve their computer security program. The resulting action plan is weighted to provide the agency the greatest improvements most cost effectively. The corrective actions the PRISMA team identifies include the time frame for implementation and the projected resource impact. The action plan can readily be used to develop scopes of work for quick "bootstrapping" of the cyber security program.

The PRISMA focuses on nine primary review areas, each of which were derived from a combination of NIST 800-26 Self-Assessment Guide for Information Technology Systems as supplemented by other criteria from requirements and guidance found in SP 800-53. Agencies may choose one of two pre-defined review options or work with NIST to further tailor their reviews.

Information from self-assessments generated by using the NIST 800-26 Self-Assessment Guide can be used as inputs to the PRISMA review process as they are self-assessments of individual systems. However, limited value can be obtained from any self-assessment. The PRISMA requires evidence of policies, procedures, implementation, testing, and integration of each of the PRISMA criteria. This evidence can be provided in the form of policy and procedure documents, independent assessments of systems, etc.

This is a cost-reimburseable service for federal agencies and fees are dependent upon scope of the review.

Agencies may request a review by the PRISMA team via the email address prisma@nist.gov. Agencies being reviewed will need to provide a liaison knowledgeable about computer security and systems included in the review to work with the PRISMA team and collect and organize information received.