Focuses on information security assessments required for federal IT systems. Share ideas, practices, and independent consultant references.
New SP800-37 Final Public Draft
November 17, 2009 at 8:52 pm #85702
NIST is releasing Special Publication 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Lifecycle Approach, Final Public Draft.
This publication represents the second in a series of publications being developed under the auspices of the Joint Task Force Transformation Initiative. For the past three years, NIST has been working in partnership with the Office of the Director of National Intelligence (ODNI), the Department of Defense (DOD), and the Committee on National Security Systems (CNSS) to develop a common information security framework for the federal government and its support contractors. The initial publication produced by the task force, NIST Special Publication 800-53, Revision 3, was historic in nature—in that it created a unified security control catalog reflecting the information security requirements of both the national security community and the non-national security community. NIST Special Publication 800-37, Revision 1, completes the transformation of the traditional process employed by the federal government to certify and accredit federal information systems to a near real-time assessment and authorization. The revised process provides greater emphasis on: (i) building information security capabilities into information systems through the application of state-of-the-practice management, operational, and technical security controls; (ii) maintaining awareness of the security state of information systems on an ongoing basis though enhanced monitoring processes; and (iii) understanding and accepting the risk to organizational operations and assets, individuals, other organizations, and the Nation arising from the use of information systems.
The most significant change in the Final Public Draft of Special Publication 800-37, Revision 1, is the full transformation of the Certification and Accreditation (C&A) process into the six-step Risk Management Framework (RMF).
The revised RMF-based process has the following characteristics:
· Promotes the concept of near real-time risk management and ongoing information system authorization through the implementation of robust continuous monitoring processes;
· Encourages the use of automation and automated support tools to provide senior leaders the necessary information to take credible, risk-based decisions with regard to the organizational information systems supporting their core missions and business functions;
· Integrates information security more closely into the enterprise architecture and system development life cycle;
· Provides equal emphasis on the selection, implementation, assessment, and monitoring of security controls, and the authorization of information systems;
· Establishes responsibility and accountability for security controls deployed within organizational information systems and inherited by those systems (i.e., common controls); and
· Links risk management processes at the information system level to risk management processes at the organization-level through a risk executive (function);
The risk management process described in this publication focuses on the strategic, enterprise-centric, near real time-based approaches to security assessment and system authorization and provides the capability to more effectively manage information system-related security risks in highly dynamic environments of complex and sophisticated cyber threats, ever increasing system vulnerabilities, and rapidly changing missions.
We have worked diligently to review and adjudicate the over five hundred comments received during the initial public review process. Your feedback to us, as always, is important. The very insightful comments from both the public and private sectors continue to help shape our publications and ensure that they meet the needs of our customers.
Please send comments to [email protected] by December 31, 2009. Final publication is expected in February 2010. The NIST CSRC Special Publications website is http://csrc.nist.gov/publications/PubsSPs.html. The NIST FISMA Implementation Project website is located . You may go directly to SP 800-37 at: http://csrc.nist.gov/publications/drafts/800-37-Rev1/SP800-37-rev1-FPD.pdf
November 30, 2009 at 10:26 am #85705
Related News story from Information Week:
NIST Drafts Cybersecurity Guidance
The National Institute for Standards and Technology is urging the government to continuously monitor its own cybersecurity efforts.
By J. Nicholas Hoover, InformationWeek
Nov. 23, 2009
Draft guidance from the National Institute of Standards and Technology issued last week, pushes government agencies to adopt a comprehensive, continuous approach to cybersecurity, tackling criticism that federal cybersecurity regulations have placed too much weight on periodic compliance audits.
The guidance, encapsulated in a draft revision to NIST Special Publication 800-37, will likely be finalized early next year. While federal agencies aren’t required to follow all of its recommendations, NIST is officially charged with creating standards for compliance with the Federal Information Systems Management Act, (FISMA), which sets cybersecurity requirements in government, so this guidance should at the very least be influential.
As official statistics show attacks on the federal government continuing to rise, the Government Accountability Office and agency inspector generals have repeatedly found the federal government or particular agencies falling short of the spirit of FISMA, if not its letter. Meanwhile, critics have repeatedly found fault with either FISMA or its implementation in practice, saying that it doesn’t do enough to ensure that government agencies remain consistently vigilant about cybersecurity.
The new document puts more onus on applying risk management throughout the lifecycle of IT systems. “This is part of a larger strategy to try to do more on the front end of security as opposed to just on the back end,” says NIST’s Ron Ross, who is in charge of FISMA guidance at the agency. “We don’t think of security as a separate undertaking, but as a consideration we make in our normal lifecycle processes.”
Special Publication 800-37 fleshes out six steps federal agencies should take to tackle cybersecurity: categorization, selection of controls, implementation, assessment, authorization, and continuous monitoring. It improves on earlier guidance by emphasizing making rigorous cybersecurity part and parcel of the deployment and operation of IT systems.
The document breals out its cybersecurity guidance in several steps. First, federal agencies are advised to determine the value of their information. Secondly, it recommends that they determine what controls are necessary for information of that value. Third, it suggests the need to actually put the security controls in place. Fourth, it advises an assessment of whether the controls were implemented correctly. Fifth, senior leadership is urged to make a decision as to whether adequate security steps have been taken.
Finally, and perhaps most significantly, the document advises federal agencies to put continuous monitoring in place. Software, firmware, hardware, operations, and threats change constantly. Within that flux, security needs to be managed in a structured way, Ross says.
“We need to recognize that we work in a very dynamic operational environment,” Ross says. “That allows us to have an ongoing and continuing acceptance and understanding of risk, and that ongoing determination may change our thinking on whether current controls are sufficient.”
The continuous risk management step might include use of automated configuration scanning tools, vulnerability scanning, and intrusion detection systems, as well as putting in place processes to monitor and update security guidance and assessments of system security requirements.
NIST will keep public comment on Special Publication 800-37 open until the end of the year.
The new document is the second in a series of five that aims to create a more consistent, unified framework for federal cybersecurity. A consortium of agencies, which includes representatives from the military, intelligence agencies, and civilian agencies, is behind the creation of the series.
The first in the series, Special Publication 800-53, provided updated recommendations on security controls. The other three documents will advise federal agencies on how to assess the effectiveness of security measures, provide an enterprise architecture lens through which to look at cybersecurity, and how to assess risk and tackle existing problems.
Over the coming year or two, NIST also plans to help integrate cybersecurity guidance into the government’s official Federal Enterprise Architecture methodology, release a technical cybersecurity framework for systems and security engineering, and take on a more public face to encourage culture change in terms of cybersecurity.
Copyright © 2009 United Business Media LLC, All rights reserved.
You must be logged in to reply to this topic.