NIST offers IT security spending guidance

Agencies must include security spending in IT budget requests, and the National Institute of Standards and Technology has released draft guidelines on how to do this.

The report, Integrating Security into the Capital Planning and Investment Control Process, gives 'common criteria against which agencies can prioritize security activities.'

Special Publication 800-65 is part of a series of information security guidelines required from NIST under the Federal Information Security Management Act. NIST is accepting comments on the proposed guidelines until Aug. 12.

FISMA requires agencies to make annual reports of their IT security posture to the Office of Management and Budget, and to include cost and time frame estimates for correcting problems identified in these reports in IT budget requests. NIST recommends a seven-step process for identifying high-priority actions for immediate funding:

  • Identify baseline: Use info security metrics to determine the current security posture

  • Identify prioritization criteria: Evaluate security posture against government and agency requirements

  • Prioritize against enterprise-level requirements: Compare security costs against impact of security breach on agency mission

  • Prioritize against system-level requirements: Evaluate impact of corrective action on systems

  • Develop supporting materials: These include concept papers, business case analysis and Exhibit 300 required by OMB

  • Implement portfolio management: Prioritize agencywide business case against security requirements

  • Program management: Ensure investments are managed through their lifecycle using Earned Value Management and the Information Technology Investment Management maturity framework.

Comments on the guidelines can be submitted by e-mail to

About the Author

William Jackson is a Maryland-based freelance writer.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.