From Splunk Wiki
FISMA is a law followed by all agencies. But DOD follows slightly different guidelines for implementation. They are merging into one set of guidelines for civilian and DOD soon. NISPOM governs compliance around security classification levels. Chapter 8 overlaps with information security (above...) But is a much broader compliance mandate (includes physical security controls). Proper use of this information after leaving employment. I'm still personally bound by NISPOM, but not FISMA.