[ISN] FISMA guidance nearly complete

InfoSec News isn at c4i.org
Thu Oct 27 03:10:41 EDT 2005 

http://www.gcn.com/vol1_no1/daily-updates/37422-1.html

By William Jackson 
GCN Staff
10/26/05 

The National Institute of Standards and Technology is nearly finished 
developing guidance documents for compliance with the Federal 
Information Security Management Act. 

"Special Publication 800-53A [1] is the last of the guidelines we will
be providing," said Pat Toth of NIST.s computer security division.
Toth updated attendees on NIST's work at the Federal Information
Assurance Conference at the University of Maryland today.

The publication, titled "Guide for Assessing Security Controls in 
Federal Information Systems," was released for comment in July. A 
second draft is expected to be released in March 2006. 

NIST expects to complete its final FISMA standard, FIPS 200, which 
governs selection of security controls for information systems, in 
January or February 2006. 

NIST was required to produce standards and implementation guidance for 
FISMA. The agency's next step will be to begin certification of 
agencies to perform security assessments for government IT systems. 

NIST's work on FISMA guidance was divided into two areas: Federal 
Information Processing Standards and guidance published in the 800 
series of Special Publications. Compliance with both guidelines and 
standards is mandatory. Technology-specific requirements are included 
in guidelines rather than standards because they can be more easily 
updated. 

SP800-53A is intended to standardize security assessment practices 
across government, so they can produce consistent, comparable and 
repeatable results. This will enable trust relationships between 
organizations. 

"Before you enter into any kind of relationship, it is critical to 
know where [organizations] stand in regard to security," Toth said. 

The public comment period on SP800-53A ended Aug. 31. "We are going 
through the comments now," Toth said. "We may not have satisfied 
anyone, so we're probably on the right track." Concerns expressed 
about the guidelines included that they are too high-level and are not 
specific enough for implementation, according to Toth. 

One change that will definitely be made in the second draft of the 
publication will be its expanded scope. The first draft covered 
assessment of only five of the 12 security control areas identified in 
SP800-53. 

"They were the five we felt we could adequately address within the 
time frame for getting it released," Toth said. .It was felt those 
areas would address the bulk of agencies' concerns. They were a good 
starting point." 

[1] http://csrc.nist.gov/publications/drafts/sp800-53A-ipd.pdf

More information about the ISN mailing list