Are state & local governments required to comply with the Federal Information Security Management Act (FISMA)? Over the past two years, I’ve heard various opposing views on this question. First, let me clarify the question. I’m not asking if following NIST and FISMA security directions makes sense and is the “right thing to do” for state & local governments. It is. Many state and local government staff use NIST documents to help address numerous security questions. The Computer Security Resource Center on the NIST website is gold mine for great security information, sample policies, federal guidance, etc. It is the go-to site for many public and private sector organizations. Virtually every state & local colleague I know uses the site to some extent, and if you don’t, you should.Still FISMA compliance is very hard and takes major resources and commitment. Our federal colleagues know that only too well. My question is more around the terms “guidance” or “mandate.” Should state and local governments view this as “commandments” or the suggestions?For some background, I recommend reading the September 2005 “Final Audit Report – Increased IRS Oversight of State Agencies Is Needed to Ensure Federal Tax Information Is Protected” from the US Department of Treasury’s Deputy Inspector General for Audit. If you don’t want to take the time to read that PDF, I’ll tell you that the auditor and the Chief, Mission Assurance and Security Services at Treasury disagree on whether FISMA requirements apply to state agencies receiving Federal tax information. This is just one example, but if you Google this question, you can find several other similar documents online. Before I post my opinions on this, I’d love to hear reader’s viewpoints, especially federal, state, and local government employees and contractors, on this topic. Related content opinion 3 security career lessons from 'Back to the Future' You don't need to be able to predict the future to have a successful security career, but you had darned well better be able to learn from the past. By Dan Lohrmann Jan 12, 2021 6 mins Careers Security interview Secrets of industry-hopping CSOs Who says you can't change industries? Veteran security leaders Mark Weatherford and Cheri McGuire teach you how it’s done. By Dan Lohrmann Mar 02, 2020 12 mins Careers Security opinion Why security pros are addicted to FUD and what you can do about it Despite professing anti-FUD rhetoric, cyber experts fan the flames, breathlessly sharing the details of the latest data breaches. It's a risky addiction that can lead to security apathy in enterprises. Here's how to harness it. By Dan Lohrmann Sep 06, 2018 7 mins Security opinion Bridging the smart cities security divide There are plenty of organizations that seem to be working on answers to secure smart cities, but in many ways it's like the early days of cloud computing with everyone building their own solutions. By Dan Lohrmann Feb 01, 2018 6 mins Internet of Things Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe