CIOs get 5-step plan for security evaluations

CIOs get 5-step plan for security evaluations

By Susan M. Menke

GCN Staff

DEC. 12'The Chief Information Officers Council has alerted federal CIOs to a new, five-level framework for managing security risks to their systems.

The Federal Information Technology Security Assessment Framework is posted at To meet the lowest level of the framework, a particular asset must have a documented security policy. At Level 2, the asset also must have documented controls for the policy. At Level 3, such controls are in place, and at Level 4, they have been tested and reviewed. At the top level, the controls have been fully integrated into a comprehensive security program.

A companion questionnaire will be released early next year from the National Institute of Standards and Technology that will help CIOs determine the security status of an asset, a program or an entire agency.

The CIO Council chairwoman, Sally Katzen of the Office of Management and Budget, and the vice chairman, James Flyzik of the Treasury Department, said the framework and questionnaire will help agencies comply with the annual security reviews mandated by the Government Information Security Reform Act.

inside gcn

  • high performance computing (Gorodenkoff/

    Does AI require high-end infrastructure?

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above