Which legislation requires federal agencies to secure information and information systems, with guidelines provided by NIST?

FISMA 2014 sets the requirement that U.S. federal agencies must protect information and information systems through an agency-wide information security program, and it mandates using security standards and guidelines developed by NIST to implement that protection. Agencies apply a risk-based approach, selecting and implementing appropriate controls, conducting risk assessments, obtaining authorization, and continuously monitoring their security posture in line with NIST guidance (such as the Risk Management Framework and SP 800-53 controls). This combination—legal obligation plus NIST-provided guidelines—defines what this legislation requires. Other options focus on different domains (healthcare privacy, corporate financial reporting, or payment card data) and do not impose federal agency-wide security programs with NIST guidance.