Take a sneak peek at the new NIST.gov and let us know what you think!
(Please note: some content may not be complete on the beta site.).

View the beta site
NIST logo
Bookmark and Share

Program Review for Information Security Management Assistance (PRISMA)


The Program Review for Information Security Management Assistance (PRISMA) includes many review options and incorporates guidelines contained in Special Publication 800-53, Recommended Security Controls for Federal Information Systems. The PRISMA is based upon existing federal directives including Federal Information Security Management Act (FISMA), NIST guidelines and other proven techniques and recognized best practices in the area of information security.

PRISMA has three primary objectives:

  • To assist agencies in improving their information security programs
  • To support Critical Infrastructure Protection (CIP) Planning
  • To facilitate exchange of effective security practices within the federal community


PRISMA provides an independent review of the maturity of an agency's information security program. The review is based upon a combination of proven techniques and best practices and results in an action plan that provides a federal agency with a business case-based roadmap to cost-effectively enhance the protection of their information system assets. The PRISMA review, which is not an audit or an inspection, begins with an assessment of the maturity of the agency's information security program. This includes the agency's information security policies, procedures, and security controls implementation and integration across all business areas. The PRISMA team performs a comparable review of the agency's organizational structure, culture, and business mission. After the assessment is performed, the PRISMA team documents issues identified during the assessment phase and provides corrective actions associated with each issue. These corrective actions are then provided as a prioritized action plan for the agency to use to improve their information security program. The resulting action plan is weighted to provide the agency the greatest improvements, the most cost-effectively. The corrective actions the PRISMA team identifies include the time frame for implementation and the projected resource impact. The action plan can readily be used to develop scopes of work for quick "bootstrapping" of the information security program.

PRISMA focuses on nine primary review areas, each of which were derived from FISMA requirements and guidelines found in SP 800-53. Agencies may choose one of two pre-defined review options.

Lead Organizational Unit:



Mr. Richard Kissel


Related Programs and Projects:

For more information regarding the Program Review for Information Security Management Assistance (PRISMA), please visit the Computer Security Resource Center (CSRC).

Associated Products:


Richard Kissel
(301) 975-5017

100 Bureau Drive
M/S 8930
Gaithersburg, MD 20899-8930