NIST offers IT security spending guidance

Agencies must include security spending in IT budget requests, and the National Institute of Standards and Technology has released draft guidelines on how to do this.

The report, Integrating Security into the Capital Planning and Investment Control Process, gives 'common criteria against which agencies can prioritize security activities.'

Special Publication 800-65 is part of a series of information security guidelines required from NIST under the Federal Information Security Management Act. NIST is accepting comments on the proposed guidelines until Aug. 12.

FISMA requires agencies to make annual reports of their IT security posture to the Office of Management and Budget, and to include cost and time frame estimates for correcting problems identified in these reports in IT budget requests. NIST recommends a seven-step process for identifying high-priority actions for immediate funding:

  • Identify baseline: Use info security metrics to determine the current security posture

  • Identify prioritization criteria: Evaluate security posture against government and agency requirements

  • Prioritize against enterprise-level requirements: Compare security costs against impact of security breach on agency mission

  • Prioritize against system-level requirements: Evaluate impact of corrective action on systems

  • Develop supporting materials: These include concept papers, business case analysis and Exhibit 300 required by OMB

  • Implement portfolio management: Prioritize agencywide business case against security requirements

  • Program management: Ensure investments are managed through their lifecycle using Earned Value Management and the Information Technology Investment Management maturity framework.


Comments on the guidelines can be submitted by e-mail to sec-cpic@nist.gov.

About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • power grid (elxeneize/Shutterstock.com)

    Electric grid protection through low-cost sensors, machine learning

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group