NIST Unveils 'Framework Meets FISMA' Cyber Best Practices


The document came out just one day after Trump mandated agencies follow the office’s cyber best practices guide.

The government’s cyber standards agency released draft guidance Friday outlining cybersecurity best practices for federal agencies.

The long-planned initiative came just one day after President Donald Trump issued an executive order mandating federal agencies implement a cybersecurity framework that agency, the National Institute of Standards and Technology, developed or face consequences.

Friday’s guidance from NIST essentially outlines how agencies can incorporate that cybersecurity framework into their existing security requirements. NIST officials have referred colloquially to the document as “framework meets FISMA,” a reference to the Federal Information Security Management Act, government’s main cyber compliance law.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

The document, officially titled NIST Interagency Report 8170, outlines how agencies can use NIST frameworks requirements to vet the cybersecurity of their technology vendors and apportion cybersecurity responsibilities to different parts of their organizations, among other uses.

It also outlines how the framework can help officials assess how well an agency is complying with data privacy laws including FISMA and the Health Insurance Portability and Accountability Act, or HIPAA.

NIST is seeking feedback on how to improve the guidance for federal IT managers and executives at private companies that work with the government. The document will be open for comment through June 30.

The document has gone through several internal revisions over the past year, NIST Cybersecurity Framework manager Matthew Barrett said recently.

The current version is intended for anyone who manages federal information systems, ranging from senior executives to line managers, according to the document.

“It is especially relevant for personnel who develop, implement, report, and improve enterprise and cybersecurity risk management processes within their organizations,” the document states.