For NIST publications the Federal Information Security Management Act (FISMA) is a good way to demonstrate the link between laws and NIST publications. Originally passed by Congress in December, 2002. FISMA was updated in 2014 (Federal Information Security Modernization Act of 2014) but the essential elements of CIA for information security are retained in this update.1 FISMA recognized the need for information security involving government information systems and directed federal agencies to develop programs for such protection. The law provided a framework for agencies to use that included the following areas:
• Inventory of Information Systems
• Categorize Information and Information Systems according to Risk Level
• Security Controls
• Risk Assessment
• System Security Plan
• Certification and Accreditation
• Continuous Monitoring
An important aspect of FISMA is its definition of information security:
“…protecting information and information systems for unauthorized access, use, disclosure, disruption, modification or destruction2…”
FISMA provides three elements that define information security and privacy:
CONFIDENTIALITY: “…preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information…”
INTEGRITY “...guarding against the improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity.”
AVAILABILITY: “…ensuring timely and reliable access to and use of information."
Taken together the attributes of CIA comprise the basis of information security.
 FISMA was updated in 2014 (Federal Information Security Modernization Act of 2014) but the essential elements of CIA for information security are retained in this update.
 FISMA (Public Law 107-347), Section 3542. Definitions (b)(1)