[ISN] NIST Drafts Cybersecurity Guidance

[InfoSec News]

http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=221900722

By J. Nicholas Hoover
InformationWeek
November 23, 2009

Draft guidance from the National Institute of Standards and Technology 
issued last week, pushes government agencies to adopt a comprehensive, 
continuous approach to cybersecurity, tackling criticism that federal 
cybersecurity regulations have placed too much weight on periodic 
compliance audits.

The guidance, encapsulated in a draft revision to NIST Special 
Publication 800-37, will likely be finalized early next year. While 
federal agencies aren't required to follow all of its recommendations, 
NIST is officially charged with creating standards for compliance with 
the Federal Information Systems Management Act, (FISMA), which sets 
cybersecurity requirements in government, so this guidance should at the 
very least be influential.

As official statistics show attacks on the federal government continuing 
to rise, the Government Accountability Office and agency inspector 
generals have repeatedly found the federal government or particular 
agencies falling short of the spirit of FISMA, if not its letter. 
Meanwhile, critics have repeatedly found fault with either FISMA or its 
implementation in practice, saying that it doesn't do enough to ensure 
that government agencies remain consistently vigilant about 
cybersecurity.

The new document puts more onus on applying risk management throughout 
the lifecycle of IT systems. "This is part of a larger strategy to try 
to do more on the front end of security as opposed to just on the back 
end," says NIST's Ron Ross, who is in charge of FISMA guidance at the 
agency. "We don't think of security as a separate undertaking, but as a 
consideration we make in our normal lifecycle processes."

[...]