Misconceptions about NIST and CISA: Clarifying Their Roles

Jax S. - Outpost Gray
3 min readApr 15, 2024

It is a common misconception that the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA) are federal or state regulations. This confusion is particularly prevalent with regard to NIST. In this article, I aim to clarify why some may think of NIST as a regulatory entity and establish why it is not.

FISMA, OMB A-123 and NIST Controls

The Federal Information Security Management Act (FISMA) was enacted in 2002 to help organizations develop, document, and implement an agency-wide security program. Subsequently, in 2014, FISMA was amended to modernize federal security practices and address evolving security concerns.

Another significant policy, the Office of Management and Budget (OMB) Circular A-123, titled “Managing Federal Information as a Strategic Resource,” was established to guide planning, budgeting, governance, and resourcing for IT services. This policy also set responsibilities for protecting Federal information resources and personally identifiable information (PII).

To support these legislations and policies, frameworks and controls are necessary, and this is where NIST and CISA come into play. For instance, NIST developed the NIST SP 800–37, “Guide for the Security Certification and Accreditation of Federal Information Systems” (now known as the Risk Management Framework, RMF), and in February 2005 published NIST SP 800–53, a control catalog to support these legislations.

Understanding NIST’s Role Through NIST SP 800–53

If you examine the preamble of NIST SP 800–53 and other security frameworks by NIST, it clearly states:

“This publication has been developed by NIST to further its statutory responsibilities under the Federal Information Security Modernization Act (FISMA), 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113–283. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems. Such information security standards and guidelines shall not apply to national security systems without the express approval of the appropriate federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130.”

CISA’s Role in Supporting FISMA

The Cybersecurity and Infrastructure Security Agency (CISA) plays a crucial role in supporting the implementation of FISMA by focusing on the operational aspects of cybersecurity across federal agencies. CISA provides cybersecurity tools, incident response services, and cybersecurity frameworks to assist federal agencies in aligning their security practices with FISMA requirements. This involves overseeing the continuous monitoring and risk assessment processes that ensure federal information systems are protected against emerging threats.

Conclusion

The clarification provided by these documents underlines that NIST and CISA are not regulatory bodies but provide essential guidelines and frameworks to support federal agencies in complying with established federal policies and legislation. Their role is to guide and standardize but not to regulate directly.

Reference: NIST SP 800–53: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf

OMB Circular A-123: https://obamawhitehouse.archives.gov/omb/circulars_a123_rev

FISMA and CISA: https://www.cisa.gov/topics/cyber-threats-and-advisories/federal-information-security-modernization-act

--

--

Jax S. - Outpost Gray

Founder of Outpost Gray, Author, Podcaster, YouTuber, Speaker, and Influencer.