NIST document 'brings it all together' on FISMA

New guidance on risk management the 'capstone' for implementation, program leader says

The National Institute of Standards and Technology has released the final version of its guidelines for implementing enterprisewide information risk management, laying out the underlying principles for implementing the Federal Information Security Management Act.

Ron Ross, who leads NIST’s FISMA implementation program, called Special Publication 800-39 “the capstone document for FISMA implementation. This brings it all together.”

The publication, under the title, "Managing Information Security Risk," describes a three-tiered risk-management approach based on the organization's core missions and business functions. It is the fourth of five planned publications in an interagency effort to harmonize information security requirements across the government’s civilian, military and intelligence communities.


Related coverage:

NIST releases 'historic' final version of Special Publication 800-53

Progress is slow on harmonizing government cybersecurity policies


“It is imperative that leaders and managers at all levels understand their responsibilities and are held accountable for managing information security risk — that is, the risk associated with the operation and use of information systems that support the missions and business functions of their organizations,” the guidelines state.

The three tiers identified in 800-39 begin at the governance level, where an enterprisewide strategy is developed. Procedures for identifying and evaluating risks are established, the enterprise’s tolerance for risk is defined based on core mission, and plans for managing risk are set up, either by eliminating them, mitigating them, sharing them or accepting them. A plan for monitoring risk in a dynamic environment and adapting to changes also is needed.

In the second tier, the strategy is built into the enterprise architecture, based on the enterprise’s mission processes. The information security architecture becomes a roadmap for deploying all elements of security in the infrastructure.

The third tier is the information systems level, in which systems are developed with the security built in.

“Managing information security risk, like risk management in general, is not an exact science,” the guidelines state. “It brings together the best collective judgments of individuals and groups within organizations responsible for strategic planning, oversight, management, and day-to-day operations — providing both the necessary and sufficient risk response measures to adequately protect the missions and business functions of those organizations.”

Ross said the strategic approach is not new, and builds on the assumption that managing risk should begin at the top of the organization. But the short-term need to patch and defend against existing vulnerabilities too often diverts attention from a more strategic approach.

NIST is responsible under FISMA for developing guidelines, standards and specifications for IT security, but the FISMA requirements do not apply to national security IT systems. This has resulted in separate but overlapping programs for government IT security. Civilian, military and intelligence agencies have been cooperating for two years to bring their information security policies into line with each other under the Joint Task Force Transformation Initiative.

An interagency working group was formed under the task force in April 2009 by NIST, the Defense Department and the Director of National Intelligence to produce a unified information security framework, with NIST taking the lead and publishing guidance.

Three previous publications have been released by NIST as part of this effort:

SP 800-39 supersedes the original SP 800-30, Guide for Conducting Risk Assessments, as guidance on risk management. An updated version of SP 800-30 is expected to be published this year and will complete the task force’s initial plans.

The completion of the five task force documents will not mean the end of NIST information security guidance. Ross said there have been discussions on two more possible publications under the harmonization effort. Work already has begun on a NIST document on system and security engineering that Ross said he would like to see become part of the harmonization effort. Guidelines on best practices for secure application development also are a possibility.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

2014 Rising Star Awards

Help us find the next generation of leaders in federal IT.

Reader comments

Tue, Nov 8, 2011 Paul Sigmon Dahlgren, VA

Will there be a CONOP or some sort of standardization for legacy DoD produced software to obtain Authority To Operate (ATO)? Huge waist of $ right now putting "Simple Software" through the DIACAP process when virtually all IA criteria is either Inherited or N/A; but the packages still have to go through all of the certification and accreditation agencies for collaboration, votes, additional collaboration, votes, etc.. spend over $100K easily to "Certified IAMs".. As a Retired ITCM, USN, it kills me to see all this wasted monies. It'd be cheaper to just have one standard across all services for legacy "simple software applications" so Program Managers can evaluate and test their software internally, provide a copy of it to a host system tester, i.e... ISNS at SPAWAR for an IA test, eRetina Gold Disk Test, if it passes, then, it should be accredited. If any IA items have risks, that are obviously inherited from the host system, the software should be accredited, (don't need 2 dozen meetings and payouts to "certified IAMs, 2 ODAAs, etc..).. Thanks for hearing me out, dealing with these issues right now and it looks like the problems are going to get worse versus better. Paul Sigmon

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above