Security guidelines for U.S. agencies due in July
The goal: Help them assess compliance with upcoming infosec rules
Computerworld - The National Institute of Standards and Technology (NIST) will soon begin releasing formal guidelines federal agencies can use to assess their compliance with a set of mandatory information security rules due to take effect early next year.
The assessment guidelines, to be released in NIST Special Publication 800-53A early next month, are designed to enable periodic testing and evaluation of the security controls federal agencies need to put in place, said Ron Ross, project leader of NIST's Federal Information Security Management Act (FISMA) Implementation Project.
The mandatory security rules themselves were released in February in a separate NIST document, called Special Publication 800-53 (download PDF). That document details the baseline security controls for different categories of federal information management systems. The security rules cover 17 different areas, including access control, incident response, business continuity and disaster recoverability, and will become a required Federal Information Processing Standard by year's end for all federal systems except those related to national security.
The guidelines are designed to allow federal agencies to assess "if mandated controls have been implemented correctly, are operating as intended and are ... meeting the organization's security requirements," Ross said.
The NIST assessment guidelines are "very closely aligned" to SP 800-53, Ross said. The first draft will detail assessment procedures for five of the 17 security controls described in the February document but will eventually include guidelines for all the rules.
Every security control mandated in SP 800-53 will have an associated assessment method and procedure, Ross said. For example, a security requirement that federal agencies have formal information back-up processes will have an associated procedure describing how compliance can be evaluated, Ross said.
The guide can be used for agency self-assessments, by certification agents and auditors to do independent testing and even by IT systems developers, according to Ross.
"The goal of 800-53A is right on target," said Alan Paller director of research at the SANS Institute, a Washington-based security information center. Too often, a lack of clear guidelines leads to situations where mandated security controls are interpreted in different ways, Paller said. "The greatest mistake is when people write what needs to be done but not how it needs to be done," he said.
How effective the guidelines will be depends on how much detail it provides to information security assessors, Paller said. "If it was written by people who have really protected systems and cleaned up after attacks, it is likely to provide what is absolutely needed," he said. On the other hand, if the document wascrafted by "policy people" with little hands-on experience, it may not be of much practical value, he said.
While such assessment guides can be useful, "if a lot of the underpinning details are not addressed it can give a false sense of compliance," said Will Ozier president of OPA Inc., a Vacaville, Calif.-based risk management consultancy.
Read more about Gov't Legislation/Regulation in Computerworld's Gov't Legislation/Regulation Topic Center.



- Excel 2010 Cheat Sheet
- Register for this Computerworld Insider Cheat Sheet and gain access to hundreds of premium content articles, guides, product reviews and more.
- Overcome Top 7 Admin Challenges of Active Directory
- As Active Directory's role in the enterprise has drastically increased, so has the need to secure the data. Gain insight on creating repeatable,...
- Insiders Can Ruin Your Company. Take Action.
- Did you know that 80 percent of threats to an organization come from the inside? The threat from insiders is often overlooked in...
- Top Solutions and Tools to Prevent Devastating Malware
- Custom malware frequently goes undetected. According to Forrester Research, the best way to reduce risk of breach is to deploy file integrity monitoring...
- Streamline Compliance and Increase ROI
- Streamline, simplify, and automate compliance related activities; especially those that impact multiple business units. This white paper from NetIQ, outlines solutions that will...
- X-Ray of the PCI Process-4 Proactive Steps
- This white paper from Forrester Research Inc., helps break PCI into understandable components. Security and risk professionals will gain knowledge and insight into... All Gov't Legislation/Regulation White Papers
- Optimizing Networks for the Cloud
- Join guest speaker, Rohit Mehra, IDC Director of Enterprise Communications Infrastructure, to explore current trends, discuss best practices for optimizing Data Center and...
- Apps QuickStart Series Part 2: Designing and Deploying SQL Server on VMware vSphere
- Download this webcast to learn about the design considerations for virtualizing SQL workloads, performance and scalability information and high-availability options, as well as...
- Apps QuickStart Series Part 1: Designing and Deploying Exchange 2010 on VMware vSphere
- Download this webcast to learn the virtual hardware design considerations for Exchange 2010, deployment using the building block approach, options for high-availability and...
- Customer Spotlight: How IPC The Hospitalist Company Implemented Oracle on VMware
- Have you been looking to hear about customer's experiences with the new VMware vCenter Site Recovery Manager product? View this webcast to learn...
- Virtualize Business-Critical Applications with Confidence
- Virtualizing business-critical applications has become a key focus for organizations as they move along their virtualization journey. With the launch of VMware vSphere®... All Gov't Legislation/Regulation Webcasts