The Federal Information Security Modernization Act (FISMA) requires civilian agencies of the US Federal Government to report on the security posture of their information systems. Businesses supporting these government agencies may also be required to implement such controls, if they interconnect with or operate systems on behalf of the government. There are a variety of documents which guide the implementation and management of security controls for such systems, including the Federal Information Processing Standards (FIPS) and National Institute of Standards and Technology Special Publications (NIST SP).

  • FIPS 199 & 200: Describes the security categorization of systems and controls needed based on that categorization
  • NIST SP 800-53: The catalog of controls to choose from

NIST SP 800-53 has three risk-based baselines for controls: Low, Moderate, and High. Higher-risk systems require more controls, while lower-risk systems require less stringent levels of protection.