NIST Compliance

Compliance with NIST standards and guidelines is a top priority at Iowa State.


To get started:

  1. Log into ChangeGear
  2. Click 'New'
  3. Select the 'RFC NIST Compliance change form'
  4. Complete the form
    Note: Refer to IT Handbook for additional details
  5. For questions about how to open RFC tickets, e-mail for assistance.

Process Flow

  1. SSP-System Security Plan: Identify, analyze, and understand the cyber gaps and vulnerabilities
  2. Security Certification / Assessment: A critical review of the organization's cyber posture (the truth as of a point in time)
  3. Plan of Action (POAM): The plan to remediate the cyber gaps
  4. Cyber Breach Detection: Monitoring of the infrastructure cyber events that meet the Cyber-attack notification requirements

System Security Plan

The purpose of the system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The system security plan also sets out responsibilities and expected behavior of all individuals who access the system. The system security plan should be viewed as documentation of the structured process of planning adequate, cost-effective security protection. It should reflect input from various managers with responsibilities concerning the system, including information owners, the system owner, and the senior agency information security officer (SAISO). Additional information may be included in the basic plan and the structure and format organized according to agency needs, so long as the major sections described in this document are adequately covered and readily identifiable.

Security Certification / Assessment

During the security certification and accreditation process, the system security plan is analyzed, updated, and accepted. The certification agent confirms that the security controls described in the system security plan are consistent with the FIPS 199 security category determined for the information system, and that the threat and vulnerability identification and initial risk determination are identified and documented in the system security plan, risk assessment, or equivalent document.

Plan of Action and Milestones (POAM)

The results of a security certification are used to reassess the risks, develop the plan of action and milestones (POAMs) which are required to track remedial actions, and update the system security plan, providing a factual basis for an authorizing official to render a security accreditation decision.

Cyber Breach Detection

If a breach is detected, IT security and PI are required to follow Iowa State's incident reporting policy.