The Federal Information Security Modernization Act requires all federal agencies to implement an information security programme based on NIST standards — specifically NIST SP 800-53 for controls and NIST SP 800-37 for the Risk Management Framework — and to report security posture to OMB, DHS, and Congress annually. FISMA compliance has historically been criticised for encouraging checkbox compliance over genuine security improvement, and the Biden administration's shift to continuous monitoring and Zero Trust requirements under EO 14028 reflects an effort to make FISMA outcomes more closely track actual security posture.
Related: Government · FedRAMP · NIST CSF · SIEM · CAASM