NIST announces FISMA Phase II

The National Institute of Standards and Technology is drafting a set of qualifications that agencies and contractors must meet before they can assess the security of federal information systems. The Federal Information Security Management Act of 2002 requires annual security assessments.

Establishing qualifications for those who conduct security assessments marks a new phase in the implementation of FISMA, NIST officials said this week. In the first phase, NIST was preoccupied with creating information security standards and guidelines for federal agencies. In the next phase, NIST’s technical managers will try to create a set of minimum qualifications and procedural standards for anyone who conducts FISMA security assessments. The purpose is to ensure that federal agencies receive consistent and competent assessments.

NIST expects to publish those qualifications in draft form in late June.

“They’re getting into uncharted territory,” said Lynn McNulty, director of government affairs at the International Information Systems Security Certification Consortium. “They’re getting involved with a credentialing program that involves something other than software and hardware modules.”

NIST held a public workshop April 26 to solicit ideas about to create a pool of service providers qualified to provide security assessments using FISMA standards and guidelines.


  • Budget
    Stock photo ID: 134176955 By Richard Cavalleri

    House passes stopgap spending bill

    The current appropriations bills are set to expire on Oct. 1; the bill now goes to the Senate where it is expected to pass.

  • Defense
    concept image of radio communication (DARPA)

    What to look for in DOD's coming spectrum strategy

    Interoperability, integration and JADC2 are likely to figure into an updated electromagnetic spectrum strategy expected soon from the Department of Defense.

Stay Connected