By William Jackson
The National Institute of Standards and Technology is nearly finished
developing guidance documents for compliance with the Federal
Information Security Management Act.
"Special Publication 800-53A  is the last of the guidelines we will
be providing," said Pat Toth of NIST.s computer security division.
Toth updated attendees on NIST's work at the Federal Information
Assurance Conference at the University of Maryland today.
The publication, titled "Guide for Assessing Security Controls in
Federal Information Systems," was released for comment in July. A
second draft is expected to be released in March 2006.
NIST expects to complete its final FISMA standard, FIPS 200, which
governs selection of security controls for information systems, in
January or February 2006.
NIST was required to produce standards and implementation guidance for
FISMA. The agency's next step will be to begin certification of
agencies to perform security assessments for government IT systems.
NIST's work on FISMA guidance was divided into two areas: Federal
Information Processing Standards and guidance published in the 800
series of Special Publications. Compliance with both guidelines and
standards is mandatory. Technology-specific requirements are included
in guidelines rather than standards because they can be more easily
SP800-53A is intended to standardize security assessment practices
across government, so they can produce consistent, comparable and
repeatable results. This will enable trust relationships between
"Before you enter into any kind of relationship, it is critical to
know where [organizations] stand in regard to security," Toth said.
The public comment period on SP800-53A ended Aug. 31. "We are going
through the comments now," Toth said. "We may not have satisfied
anyone, so we're probably on the right track." Concerns expressed
about the guidelines included that they are too high-level and are not
specific enough for implementation, according to Toth.
One change that will definitely be made in the second draft of the
publication will be its expanded scope. The first draft covered
assessment of only five of the 12 security control areas identified in
"They were the five we felt we could adequately address within the
time frame for getting it released," Toth said. .It was felt those
areas would address the bulk of agencies' concerns. They were a good
InfoSec News v2.0 - Coming Soon!