AOH :: ISNQ5297.HTM

Report: NIST's Cybersecurity Guidelines Aren't Enough




Report: NIST's Cybersecurity Guidelines Aren't Enough
Report: NIST's Cybersecurity Guidelines Aren't Enough



http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=219300112 

By J. Nicholas Hoover
InformationWeek
August 13, 2009 

A set of cybersecurity controls recently recommended by the National 
Institute of Standards and Technology for federal agencies doesn't go 
far enough, according to a watchdog group.

In a preliminary report, the Cyber Secure Institute, an organization 
headed by former government officials and IT executives, calls NIST's 
Recommended Security Controls for Federal Information Systems and 
Organizations, also known as Special Publication 800-53, "an important 
step forward," but finds that the publication raises "a number of 
serious questions."

NIST published a final version of those security controls, which were 
developed with input from civilian, defense, and intelligence agencies, 
earlier this month. The 236-page publication provides guidelines for 
federal agencies to meet under the Federal Information Systems 
Management Act, or FISMA.

Among the shortcomings identified by the Cyber Secure Institute was 
NIST's classification system for assigning "impact" to government 
systems. NIST instructs agencies to determine if systems are low, 
moderate, or high impact and take certain security measures based on 
those assessments. The Cyber Secure Institute worries that low- and 
moderate-impact systems won't be adequately protected against 
"highly-skilled, highly-motivated and well-resourced" attackers.

[...]


________________________________________
Subscribe to InfoSec News
http://www.infosecnews.org 

Site design & layout copyright © 1986-2014 CodeGods