FISMA & NIST

Independent Assessments for Enhanced Compliance

AssurancePoint offers readiness assessment services (free for new clients), gap remediation guidance, Type 1 attestation assessments (control design as of a point in time), and Type 2 attestation assessments (design and operating effectiveness over a period of time) for organizations seeking an independent examination and reports over a specified NIST framework. Our examinations are conducted in accordance with attestation standards established by the AICPA.

NIST 800-53

The National Institute for Standards and Technology (NIST) develops standards and control guidelines to help government agencies comply with the Federal Information Security Modernization Act (FISMA). Special Publication 800-53 contains a framework of information security and privacy controls intended for federal information systems and organizations. However, the NIST 800-53 publication has become a popular security control framework broadly accepted in the private sector.

NIST CSF

The NIST Cybersecurity Framework (CSF) consists of guidance and standards for organizations to manage and reduce cybersecurity risk. The framework was developed via collaboration of government and industry agencies and largely leverages existing cybersecurity and risk management standards. The CSF is a high level risk-based framework when compared to 800-53. The higher-level scope is often easier understood by executives and other non-technical stakeholders. The CSF is also not designed as a regulatory requirement for government agencies and affiliates. This allows greater flexibility in its implementation to suit an organization’s needs.

NIST Privacy Framework

The Privacy Framework established by NIST is intended to help organizations identify and manage privacy risks associated with their products or services. The Privacy Framework is modeled after NIST’s Cybersecurity Framework (CSF) however, it extends the scope to account for privacy risks arising from data processing that may be unrelated to cybersecurity incidents. An assessment against the Privacy Framework would benefit organizations looking to improve their existing data privacy program as well as those looking for flexible guidance to serve as the foundation for a new privacy program.