The National Institute of Standards and Technology is considered to be responsible for cybersecurity standards and guidelines. Because of this, it is the responsibility of NIST to develop proper frameworks for managing risk to information security and privacy in federal organizations. With this responsibility, they published the FISMA act of 2002, which was intended to strengthen the security of information programs.
With federal agencies now required to secure their information systems, they developed and published the first revision of NIST SP 800-53, originally titled “Recommended Security Controls for Federal Information Systems” in 2006. This special publication was continuously updated, and the most important of them was the third revision, published in late 2009, which included a “A simplified, six-step risk management framework”. Shortly after this, in early 2010, RMF was officially published by NIST and became the new framework that every federal agency had to comply with.
In 2014, the revision to FISMA 2002 was released. As stated earlier, FISMA 2014 essentially established all of the requirements of a risk management program, and RMF is a format that specifically determines how that program is implemented in order to reach authorization.
Since then, few changes have been made to this overall process, besides revisions to both NIST SP 800-53 and RMF. The fifth and most recent revision to SP 800-53 was critically important, as it made the controls/regulations open to the private sector, not just federal organizations. The second revision of RMF added a prepare step and accounted for the controls added throughout SP 800-53 revisions.
To simplify, The NIST is largely responsible for cybersecurity standards and guidelines, and therefore is responsible for outlining the requirements for proper information security in organizations. Because of this, they published FISMA 2002, in order to require federal agencies to secure their information systems. Then, in 2006, they published SP 800-53, which outlined recommended controls to secure said information systems. In 2010, RMF was officially established based on these previous controls and created a framework with which to apply this. Finally, in 2014, they published the second revision of FISMA, which outlined all the requirements of a security system through use of NIST’s Risk Management Framework.
