FISMA guidance nearly complete

The National Institute of Standards and Technology is nearly finished developing guidance documents for compliance with the Federal Information Security Management Act.

'Special Publication 800-53A is the last of the guidelines we will be providing," said Pat Toth of NIST's computer security division. Toth updated attendees on NIST's work at the Federal Information Assurance Conference at the University of Maryland today.

The publication, titled 'Guide for Assessing Security Controls in Federal Information Systems,' was released for comment in July. A second draft is expected to be released in March 2006.

NIST expects to complete its final FISMA standard, FIPS 200, which governs selection of security controls for information systems, in January or February 2006.

NIST was required to produce standards and implementation guidance for FISMA. The agency's next step will be to begin certification of agencies to perform security assessments for government IT systems.

NIST's work on FISMA guidance was divided into two areas: Federal Information Processing Standards and guidance published in the 800 series of Special Publications. Compliance with both guidelines and standards is mandatory. Technology-specific requirements are included in guidelines rather than standards because they can be more easily updated.

SP800-53A is intended to standardize security assessment practices across government, so they can produce consistent, comparable and repeatable results. This will enable trust relationships between organizations.

"Before you enter into any kind of relationship, it is critical to know where [organizations] stand in regard to security," Toth said.

The public comment period on SP800-53A ended Aug. 31. "We are going through the comments now," Toth said. "We may not have satisfied anyone, so we're probably on the right track." Concerns expressed about the guidelines included that they are too high-level and are not specific enough for implementation, according to Toth.

One change that will definitely be made in the second draft of the publication will be its expanded scope. The first draft covered assessment of only five of the 12 security control areas identified in SP800-53.

"They were the five we felt we could adequately address within the time frame for getting it released," Toth said. 'It was felt those areas would address the bulk of agencies' concerns. They were a good starting point."

About the Author

William Jackson is a Maryland-based freelance writer.


  • business meeting (Monkey Business Images/

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected