Are state & local governments required to comply with the Federal Information Security Management Act (FISMA)?\u00a0Over the past two years, I\u2019ve heard various opposing views on this question.\u00a0First, let me clarify the question. I\u2019m not asking if following NIST and FISMA security directions makes sense and is the \u201cright thing to do\u201d for state & local governments. It is.\u00a0Many state and local government staff use NIST documents to help address numerous security questions. The Computer Security Resource Center on the NIST website is gold mine for great security information, sample policies, federal guidance, etc. It is the go-to site for many public and private sector organizations. Virtually every state & local colleague I know uses the site to some extent, and if you don\u2019t, you should.Still FISMA compliance is very hard and takes major resources and commitment. Our federal colleagues know that only too well. My question is more around the terms \u201cguidance\u201d or \u201cmandate.\u201d Should state and local governments view this as \u201ccommandments\u201d or the suggestions?For some background, I recommend reading the September 2005 \u201cFinal Audit Report \u2013 Increased IRS Oversight of State Agencies Is Needed to Ensure Federal Tax Information Is Protected\u201d from the US Department of Treasury\u2019s Deputy Inspector General for Audit. If you don\u2019t want to take the time to read that PDF, I\u2019ll tell you that the auditor and the Chief, Mission Assurance and Security Services at Treasury disagree on whether FISMA requirements apply to state agencies receiving Federal tax information. This is just one example, but if you Google this question, you can find several other similar documents online.\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0 Before I post my opinions on this, I\u2019d love to hear reader\u2019s viewpoints, especially federal, state, and local government employees and contractors, on this topic.