NIST to develop credentials for FISMA consultants

The National Institute of Standards and Technology has begun a project to develop a set of security credentials aimed at assessment providers.


The credentials build on NIST’s security and risk management guidance for the Federal Information Security Management Act.


Agencies typically hire contractors to help them certify and accredit their systems to meet FISMA requirements. As agencies move to a risk management approach, it is important that they be confident that the contractors they hire can adequately provide those services, said Ron Ross, NIST senior computer scientist.

“In essence, we’re going to be credentialing organizations to demonstrate their competence in applying everything that you see in NIST’s Risk Management Framework,” he said at an information assurance conference sponsored by Guidance Software on Nov. 29.


NIST released on Sept. 29 a draft document outlining provider requirements and customer responsibilities for the program, which Ross calls FISMA II.


NIST has developed standards and guidelines to move agencies toward a dynamic, risk management approach to FISMA, highlighted by continuous monitoring of security controls. The goal is to move away from what has been a paper exercise that documents an agency’s security state based on a snapshot in time.


In addition, NIST, the Office of the Director of National Intelligence and the Defense Department are working on converging security standards across government to encourage trust in each other’s systems and information sharing.

Besides setting a bar for security assessors, NIST also wants to develop a stronger and more competent cybersecurity workforce. NIST is developing a set of training modules for each of the standards and guidelines in its FISMA series, with the first module anticipated for next spring, Ross said.


Each module will include frequently asked questions; a crib sheet version of fundamentals, such as how to do security categorization or tailor security controls; and a detailed and comprehensive guide for each standard. He hopes to link it to the Information System Security Line of Business.

“These training modules will be developed at government expense, offer classes free of charge in the first couple of cycles to get the students and to give us feedback on how the training modules really are,” Ross said. After NIST makes some revisions to the modules, NIST will make them available to the public and private sectors.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.