NIST releases draft guidelines for FISMA compliance
The document, titled “Recommended Security Controls for Federal Information Systems and Organizations,” is in its third revision, but this is the first major update since its initial publication in December 2005. NIST is accepting comments on the document until March 27, Ron Ross, the organization's FISMA implementation project leader, told SCMagazineUS.com Friday.
“During the past three years we have learned a lot from our federal agencies implementing these controls,” Ross said. “[The revisions are] based on new threats we are seeing and the type of cyberattacks that are ongoing within our federal agencies.”
Ross said federal government, private sector and companies abroad are encouraged to review and comment. NIST likely will put out a final draft before the document is finalized for release around April.
“We like to make sure our customers are part of the process because they have to implement this stuff -- so we want to get their perspective with everything we do,” Ross said.
Changes to the document include: A restructuring of the security control catalog to include guidance requirements that were previously supplemental; adjusted security control/control enhancement allocations in the low-, moderate- and high-impact baselines; added security control enhancements for advanced cyberthreats, including supply chain threats; and elimination of redundant security controls/control enhancements.
“The biggest improvement is the addition of the new controls and control enhancements with regard to the new threats we are seeing,” Ross said.
Security program management controls were added relating to capital planning, budgeting, enterprise architecture and risk management. Additional guidance was added for the management of common controls.
A revised and simplified six-step risk management framework also was incorporated, in addition to a three-part strategy for harmonizing the FISMA security standards and guidelines with international security standards.
This will help align the federal law with standards that are generally accepted by corporations, Christopher Fountain, president and CEO of SecureInfo, provider of information assurance solutions for the federal government, told SCMagazineUS.com Friday in an email.
"It begins to incorporate [ISO 27001] that is generally accepted in the private sector," he said. "Since the private sector controls over 90 percent of the nation's critical infrastructure, which depends heavily on complex networks and systems, having common standards to secure all networks and systems across the public and private sectors is much needed."