FISMA 'capstone' document ready for public scrutiny
Connecting state and local government leaders
The guidelines for enterprisewide information risk management, the latest in an interagency effort to harmonize information security requirements, define the underlying principles for implementing the Federal Information Security Management Act.
The National Institute of Standards and Technology has released a draft of its guidelines for implementing enterprisewide information risk management. The document defines the underlying principles for implementing the Federal Information Security Management Act.
“This is the capstone document for FISMA implementation,” said Ron Ross, who leads NIST’s FISMA implementation program. “This brings it all together.”
The draft of Special Publication 800-39, released this week for public comment, is the fourth of five planned publications in an interagency effort to harmonize information security requirements across the government’s civilian, military and intelligence communities. The latest document offers a three-tiered approach to risk management that focuses on moving strategic security decisions up the organizational chart to senior management levels and emphasizes creating secure systems rather than fixing unsecure ones.
Related coverage:
Progress is slow on harmonizing government cybersecurity policies
NIST releases 'historic' final version of Special Publication 800-53
“For the better part of three decades, we have been doing risk management down at the technology level, vulnerability by vulnerability,” Ross said. “That is probably not a winning strategy on its own. Let’s focus on the front end: making more secure systems.”
NIST is responsible under FISMA for developing guidelines, standards and specifications for IT security, but the FISMA requirements do not apply to national security IT systems. That split has resulted in separate but overlapping programs for government IT security. Civilian, military and intelligence agencies have been cooperating for two years to bring their information security policies in line with one another's under the Joint Task Force Transformation Initiative.
An interagency working group formed under the task force in April 2009 by NIST, the Defense Department and the Office of the Director of National Intelligence has the goal of producing a unified information security framework, with NIST taking the lead and publishing guidance.
NIST has released three publications so far as part of that effort:
- Special Publication 800-37: Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach.
- Special Publication 800-53: Recommended Security Controls for Federal Information Systems and Organizations.
- Special Publication 800-53A: Guide for Assessing the Security Controls in Federal Information Systems and Organizations.
When finalized, SP 800-39 will be the fourth publication. It will supersede SP 800-30: Guide for Conducting Risk Assessments, as the guidance for risk management. An updated version of SP 800-30 is expected to be published in several months and will complete the task force’s initial plans.
The three tiers identified in SP 800-39 begin at the governance level, where an enterprisewide strategy is developed. Procedures for identifying and evaluating risks are established, the enterprise’s tolerance for risk is defined based on core mission, and plans for managing risk are set either by eliminating, mitigating, sharing or accepting them. A plan for monitoring risk in a dynamic environment and adapting to changes is also needed.
In the second tier, the strategy is built into the enterprise architecture, based on the enterprise's mission processes. The information security architecture becomes a road map for deploying all elements of security in the infrastructure.
The third tier is the information systems level, in which systems are developed with the security built in.
“It’s certainly not new,” Ross said of the strategic approach. “We’ve always known that building security in and managing risk should begin at the top.” But for too long attention has been diverted to patching and defending against existing vulnerabilities, and therefore the strategic approach has not been adopted.
Such an approach to security will not eliminate the need for good back-end security and will not fix immediate problems, Ross said.
“I realize we have a lot of legacy stuff out there” that will not be replaced soon, he said. But in the long term, the strategic approach should have a positive impact on security as new information systems are brought online.
The completion of the five task force documents will not mean the end of information security guidance, Ross said. There have been discussions on two more possible publications under the harmonization effort. Work has already begun on a NIST document on system and security engineering that Ross said he would like to see become part of the harmonization effort. Guidelines on best practices for secure application development are also a possibility.
“The challenges never stop,” Ross said.
Comments on the draft of SP 800-39 should be sent by Jan. 25 to sec-cert@nist.gov.