For U.S. federal agencies, mandatory cybersecurity requirements under law are established through Federal Information Processing Standards (FIPS). FIPS are issued by the U.S. government and are legally enforceable for federal agencies and contractors when specified by statute or regulation. This legal enforceability distinguishes FIPS from voluntary standards and frameworks.
Step 1: Understand the legal nature of FIPS
FIPS are developed under U.S. law to define minimum security requirements for federal information systems. When a federal agency operates or procures information systems, compliance with applicable FIPS is mandatory. This makes FIPS a legal obligation rather than a best-practice recommendation.
Step 2: Differentiate standards vs regulations
ISA/IEC 62443 is an international consensus-based standard intended primarily for industrial automation and control systems. While widely adopted and referenced by regulators, it is not legally mandatory unless explicitly incorporated into law or contracts. Therefore, it does not satisfy the requirement “under law” by itself.
Step 3: Eliminate incorrect options
The EU Cyber Resilience Act applies to products placed on the European Union market and has no jurisdiction over U.S. federal agencies.
NIST SP 800-171 provides requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems, but it becomes mandatory only through contractual flow-downs, not directly as federal law.
Step 4: Align with ISA/IEC 62443 perspective
ISA/IEC 62443 acknowledges that regulatory and legal obligations override voluntary standards. Asset owners must comply with applicable laws first, then apply ISA/IEC 62443 controls to meet industrial cybersecurity objectives.
Thus, for a U.S. federal agency facing mandatory cybersecurity requirements under law, NIST FIPS is the correct answer.
