By J. Nicholas Hoover
August 13, 2009
A set of cybersecurity controls recently recommended by the National
Institute of Standards and Technology for federal agencies doesn't go
far enough, according to a watchdog group.
In a preliminary report, the Cyber Secure Institute, an organization
headed by former government officials and IT executives, calls NIST's
Recommended Security Controls for Federal Information Systems and
Organizations, also known as Special Publication 800-53, "an important
step forward," but finds that the publication raises "a number of
NIST published a final version of those security controls, which were
developed with input from civilian, defense, and intelligence agencies,
earlier this month. The 236-page publication provides guidelines for
federal agencies to meet under the Federal Information Systems
Management Act, or FISMA.
Among the shortcomings identified by the Cyber Secure Institute was
NIST's classification system for assigning "impact" to government
systems. NIST instructs agencies to determine if systems are low,
moderate, or high impact and take certain security measures based on
those assessments. The Cyber Secure Institute worries that low- and
moderate-impact systems won't be adequately protected against
"highly-skilled, highly-motivated and well-resourced" attackers.
Subscribe to InfoSec News