Which regulation defines security and privacy controls for Federal information systems?

The main idea here is identifying the rule that specifies which security and privacy controls federal information systems must follow. In the United States, federal agencies operate under FISMA, and the authoritative controls come from NIST Special Publication 800-53. This document lays out a comprehensive catalog of security and privacy controls that agencies select, tailor, and implement to protect information systems, forming the baseline used for risk assessment, authorization, and ongoing monitoring. It’s specifically designed for federal environments and is tightly integrated with the federal risk management framework. Other options don’t fit the federal-regulation context. ENISA guidelines are EU-focused guidance rather than U.S. federal requirements. ISO 27001 is an international standard for an information security management system, not a federal regulation governing U.S. government systems. HIPAA governs privacy and security rules for protected health information in healthcare, not general security controls for federal information systems.