The National Institute of Standards and Technology will soon begin releasing guidelines that federal agencies can use to assess their compliance with a set of mandatory information-security rules due to take effect early next year.
The guidelines will be spelled out in a document that NIST plans to issue in draft form early next month. They are designed to enable periodic testing and evaluation of the effectiveness of the security controls that federal agencies need to put in place, Ron Ross, leader of NIST's Federal Information Security Management Act Implementation Project, said last week.
The new security rules were detailed in Special Publication 800-53, which NIST published in February. The rules cover 17 areas, such as access control, incident response, business continuity and disaster recovery capabilities. They will become a nonwaivable Federal Information Processing Standard for all federal systems except those related to national security.
The draft assessment guidelines being released next month will be included in a companion 800-53A document and will describe testing and evaluation procedures for five of the 17 required controls, Ross said. He added that NIST will finalize the document and provide guidelines for all the rules by year's end.
Goal Is 'Right on Target'
The goal is to help federal agencies assess whether their controls "have been implemented correctly, are operating as intended and are producing the desired outcome with respect to meeting the organization's security requirements," Ross said.
NIST's goal "is right on target," said Alan Paller, director of research at the SANS Institute in Bethesda, Md. Too often, the lack of clear guidelines leads to situations where security mandates are interpreted in multiple ways, Paller noted. "The greatest mistake is when people write what needs to be done but not how it needs to be done," he said.
The effectiveness of 800-53A will depend on the level of detail it provides, Paller said. If the guidelines are crafted by "policy people" with little hands-on experience, they are unlikely to be of much value, he added.
"If a lot of the underpinning details are not addressed, it can give a false sense of compliance," said Will Ozier, president of OPA Inc., a Vacaville, Calif.-based consulting firm.