NIST to develop credentials for FISMA consultants

The National Institute of Standards and Technology has begun a project to develop a set of security credentials aimed at assessment providers.


The credentials build on NIST’s security and risk management guidance for the Federal Information Security Management Act.


Agencies typically hire contractors to help them certify and accredit their systems to meet FISMA requirements. As agencies move to a risk management approach, it is important that they be confident that the contractors they hire can adequately provide those services, said Ron Ross, NIST senior computer scientist.

“In essence, we’re going to be credentialing organizations to demonstrate their competence in applying everything that you see in NIST’s Risk Management Framework,” he said at an information assurance conference sponsored by Guidance Software on Nov. 29.


NIST released on Sept. 29 a draft document outlining provider requirements and customer responsibilities for the program, which Ross calls FISMA II.


NIST has developed standards and guidelines to move agencies toward a dynamic, risk management approach to FISMA, highlighted by continuous monitoring of security controls. The goal is to move away from what has been a paper exercise that documents an agency’s security state based on a snapshot in time.


In addition, NIST, the Office of the Director of National Intelligence and the Defense Department are working on converging security standards across government to encourage trust in each other’s systems and information sharing.

Besides setting a bar for security assessors, NIST also wants to develop a stronger and more competent cybersecurity workforce. NIST is developing a set of training modules for each of the standards and guidelines in its FISMA series, with the first module anticipated for next spring, Ross said.


Each module will include frequently asked questions; a crib sheet version of fundamentals, such as how to do security categorization or tailor security controls; and a detailed and comprehensive guide for each standard. He hopes to link it to the Information System Security Line of Business.

“These training modules will be developed at government expense, offer classes free of charge in the first couple of cycles to get the students and to give us feedback on how the training modules really are,” Ross said. After NIST makes some revisions to the modules, NIST will make them available to the public and private sectors.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.