Often the government sector is viewed as unwieldy and cumbersome when it comes to moving rapidly to take advantage of new technology. When it comes to information security this is often the case as well. Since 2002, the U.S. Federal Information Security Management Act (FISMA) has been used to help government agencies manage their information security programs. For many years FISMA has driven a compliance orientation to information security. However, new and more sophisticated threats are causing a shift in focus from compliance to risk-based protection.
FISMA 2010 will result in new requirements for system security, business continuity plans, continuous monitoring and incident response. The new FISMA requirements are supported by significant enhancements and updates to the National Institute of Standards and Technology (NIST) guidelines and Federal Information Processing Standards (FIPS). Specifically FIPS 199 and 200 as well as the NIST SP 800 series are evolving to help cope with the evolving threat landscape. While commercial organizations are not required to take any action with respect to FISMA, there is still significant influence on information security programs in the commercial sector simply because the FIPS standards and NIST guidelines are so influential in the information security community.
I would recommend that customers in both the government and commercial sectors take a close look at some of the NIST guidelines. In particular, I would call out the following:
• NIST SP 800-53: Updates to the security controls catalog and baselines.
• NIST SP 800-37: Updates to the certification and accreditation process.
• NIST SP 800-39: New enterprise risk management guidance.
• NIST SP 800-30: Revisions to provide improved guidance for risk assessments.
It’s always useful to leverage the work that the government is doing. We may as well take advantage of our tax dollars at work.