Summary
US federal law, specifically the Federal Information Security Management Act (FISMA), requires US federal government agencies to adhere to National Institute of Standards and Technology (NIST) security standards and guidelines (specifically NIST 800-53). That's easier said than done. NIST 800-53 leaves a lot of room for interpretation, and many security and risk (S&R) pros in government turn to other standards such as the ISO 27000 family or the US Department of Defense's Information Assurance Certification and Accreditation Process (DIACAP) standard to find the specifics they need. However, neither standard fits the bill for a civilian agency, as ISO can be too high-level while the DoD standard is overkill. Forrester contends that the Payment Card Industry (PCI) data security standard (PCI DSS) holds promise as an additional baseline that can augment NIST 800-53. In this report, we map NIST 800-53 to PCI to provide prescriptive guidance for meeting NIST 800-53 requirements.
- Stay ahead of changing market and customer dynamics with the latest insights.
- Partner with expert analysts to make progress on your top initiatives.
- Get answers from trusted research using Izola, Forrester's genAI tool.