Date Published: January 2007
Planning Note (07/12/2023):
The Program Review for Information Security Assistance (PRISMA) project was last updated in 2007; NISTIR 7358 and the corresponding PRISMA tool continue to serve as useful resources for high-level guidance and as a general framework, but may not be fully consistent with changes to requirements, standards and guidelines for securing systems. The PRISMA project is being incorporated into the NIST Cybersecurity Risk Analytics and Measurement project and research to support updates will begin in FY24.
For questions or comments regarding the NIST Cybersecurity Risk Analytics and Measurement project, please contact cyberriskanalystics@nist.gov.
Author(s)
Pauline Bowen (NIST), Richard Kissel (NIST)
Several sources of guidance, policies, standards and legislative acts provide many requirements for the federal agencies when protecting entrusted information. Various assessments, reviews, and inspections are an outcome of these information security requirements to monitor federal agency compliance. The manner in which these monitoring approaches are implemented may be very different, impacting agency resource constraints. The Federal Information Security Management Act (FISMA) of 2002 charged NIST to provide technical assistance to agencies regarding compliance with the standards and guidelines developed for securing information systems, as well as information security policies, procedures, and practices. This Interagency Report provides an overview of the NIST Program Review for Information Security Management Assistance (PRISMA) methodology. PRISMA is a tool developed and implemented by NIST for reviewing the complex information security requirements and posture of a federal program or agency. This report is provided as a framework for instructional purposes as well as to assist information security personnel, internal reviewers, auditors, and agency Inspector General (IG) staff personnel.
Several sources of guidance, policies, standards and legislative acts provide many requirements for the federal agencies when protecting entrusted information. Various assessments, reviews, and inspections are an outcome of these information security requirements to monitor federal agency...
See full abstract
Several sources of guidance, policies, standards and legislative acts provide many requirements for the federal agencies when protecting entrusted information. Various assessments, reviews, and inspections are an outcome of these information security requirements to monitor federal agency compliance. The manner in which these monitoring approaches are implemented may be very different, impacting agency resource constraints. The Federal Information Security Management Act (FISMA) of 2002 charged NIST to provide technical assistance to agencies regarding compliance with the standards and guidelines developed for securing information systems, as well as information security policies, procedures, and practices. This Interagency Report provides an overview of the NIST Program Review for Information Security Management Assistance (PRISMA) methodology. PRISMA is a tool developed and implemented by NIST for reviewing the complex information security requirements and posture of a federal program or agency. This report is provided as a framework for instructional purposes as well as to assist information security personnel, internal reviewers, auditors, and agency Inspector General (IG) staff personnel.
Hide full abstract
Keywords
inspections; maturity level; PRISMA; security issues; security reviews; evaluation; action plan
Control Families
Audit and Accountability; Assessment, Authorization and Monitoring; Planning