NIST document 'brings it all together' on FISMA

The National Institute of Standards and Technology has released the final version of its guidelines for implementing enterprisewide information risk management, laying out the underlying principles for implementing the Federal Information Security Management Act.

Ron Ross, who leads NIST’s FISMA implementation program, called Special Publication 800-39 “the capstone document for FISMA implementation. This brings it all together.”

The publication, under the title, "Managing Information Security Risk," describes a three-tiered risk-management approach based on the organization's core missions and business functions. It is the fourth of five planned publications in an interagency effort to harmonize information security requirements across the government’s civilian, military and intelligence communities.

Related coverage:

Progress is slow on harmonizing government cybersecurity policies

“It is imperative that leaders and managers at all levels understand their responsibilities and are held accountable for managing information security risk — that is, the risk associated with the operation and use of information systems that support the missions and business functions of their organizations,” the guidelines state.

The three tiers identified in 800-39 begin at the governance level, where an enterprisewide strategy is developed. Procedures for identifying and evaluating risks are established, the enterprise’s tolerance for risk is defined based on core mission, and plans for managing risk are set up, either by eliminating them, mitigating them, sharing them or accepting them. A plan for monitoring risk in a dynamic environment and adapting to changes also is needed.

In the second tier, the strategy is built into the enterprise architecture, based on the enterprise’s mission processes. The information security architecture becomes a roadmap for deploying all elements of security in the infrastructure.

The third tier is the information systems level, in which systems are developed with the security built in.

“Managing information security risk, like risk management in general, is not an exact science,” the guidelines state. “It brings together the best collective judgments of individuals and groups within organizations responsible for strategic planning, oversight, management, and day-to-day operations — providing both the necessary and sufficient risk response measures to adequately protect the missions and business functions of those organizations.”

Ross said the strategic approach is not new, and builds on the assumption that managing risk should begin at the top of the organization. But the short-term need to patch and defend against existing vulnerabilities too often diverts attention from a more strategic approach.

NIST is responsible under FISMA for developing guidelines, standards and specifications for IT security, but the FISMA requirements do not apply to national security IT systems. This has resulted in separate but overlapping programs for government IT security. Civilian, military and intelligence agencies have been cooperating for two years to bring their information security policies into line with each other under the Joint Task Force Transformation Initiative.

An interagency working group was formed under the task force in April 2009 by NIST, the Defense Department and the Director of National Intelligence to produce a unified information security framework, with NIST taking the lead and publishing guidance.

Three previous publications have been released by NIST as part of this effort:

• Special Publication 800-37, “Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach.”
• Special Publication 800-53, “Recommended Security Controls for Federal Information Systems and Organizations.”
• Special Publication 800-53A, “Guide for Assessing the Security Controls in Federal Information Systems and Organizations.”

SP 800-39 supersedes the original SP 800-30, Guide for Conducting Risk Assessments, as guidance on risk management. An updated version of SP 800-30 is expected to be published this year and will complete the task force’s initial plans.

The completion of the five task force documents will not mean the end of NIST information security guidance. Ross said there have been discussions on two more possible publications under the harmonization effort. Work already has begun on a NIST document on system and security engineering that Ross said he would like to see become part of the harmonization effort. Guidelines on best practices for secure application development also are a possibility.