CIOs get 5-step plan for security evaluations

CIOs get 5-step plan for security evaluations

By Susan M. Menke

GCN Staff

DEC. 12'The Chief Information Officers Council has alerted federal CIOs to a new, five-level framework for managing security risks to their systems.

The Federal Information Technology Security Assessment Framework is posted at To meet the lowest level of the framework, a particular asset must have a documented security policy. At Level 2, the asset also must have documented controls for the policy. At Level 3, such controls are in place, and at Level 4, they have been tested and reviewed. At the top level, the controls have been fully integrated into a comprehensive security program.

A companion questionnaire will be released early next year from the National Institute of Standards and Technology that will help CIOs determine the security status of an asset, a program or an entire agency.

The CIO Council chairwoman, Sally Katzen of the Office of Management and Budget, and the vice chairman, James Flyzik of the Treasury Department, said the framework and questionnaire will help agencies comply with the annual security reviews mandated by the Government Information Security Reform Act.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.