By Jaikumar Vijayan
JUNE 10, 2005
The National Institute of Standards and Technology (NIST) will soon
begin releasing formal guidelines federal agencies can use to assess
their compliance with a set of mandatory information security rules
due to take effect early next year.
The assessment guidelines, to be released in NIST Special Publication
800-53A early next month, are designed to enable periodic testing and
evaluation of the security controls federal agencies need to put in
place, said Ron Ross, project leader of NIST's Federal Information
Security Management Act (FISMA) Implementation Project.
The mandatory security rules themselves were released in February in a
separate NIST document, called Special Publication 800-53 (download
PDF) . That document details the baseline security controls for
different categories of federal information management systems. The
security rules cover 17 different areas, including access control,
incident response, business continuity and disaster recoverability,
and will become a required Federal Information Processing Standard by
year's end for all federal systems except those related to national
The guidelines are designed to allow federal agencies to assess "if
mandated controls have been implemented correctly, are operating as
intended and are ... meeting the organization's security
requirements," Ross said.
The NIST assessment guidelines are "very closely aligned" to SP
800-53, Ross said. The first draft will detail assessment procedures
for five of the 17 security controls described in the February
document but will eventually include guidelines for all the rules.
Every security control mandated in SP 800-53 will have an associated
assessment method and procedure, Ross said. For example, a security
requirement that federal agencies have formal information back-up
processes will have an associated procedure describing how compliance
can be evaluated, Ross said.
The guide can be used for agency self-assessments, by certification
agents and auditors to do independent testing and even by IT systems
developers, according to Ross.
"The goal of 800-53A is right on target," said Alan Paller director of
research at the SANS Institute, a Washington-based security
information center. Too often, a lack of clear guidelines leads to
situations where mandated security controls are interpreted in
different ways, Paller said. "The greatest mistake is when people
write what needs to be done but not how it needs to be done," he said.
How effective the guidelines will be depends on how much detail it
provides to information security assessors, Paller said. "If it was
written by people who have really protected systems and cleaned up
after attacks, it is likely to provide what is absolutely needed," he
said. On the other hand, if the document was crafted by "policy
people" with little hands-on experience, it may not be of much
practical value, he said.
While such assessment guides can be useful, "if a lot of the
underpinning details are not addressed it can give a false sense of
compliance," said Will Ozier president of OPA Inc., a Vacaville,
Calif.-based risk management consultancy.
Attend the Black Hat Briefings and
Training, Las Vegas July 23-28 -
2,000+ international security experts,
10 tracks, no vendor pitches.