NIST releases final piece of IT security foundation
- By William Jackson
- Sep 21, 2011
Declaring “it is imperative that leaders and managers at all levels understand their responsibilities and are held accountable for managing information security risk,” the National Institute of Standards and Technology is offering new guidance for assessing IT risk.
Risk assessment is a basic part of risk management, and NIST is updating and expanding its guidelines. It has released for comment a draft of Revision 1 of Special Publication 800-30, "Guide for Conducting Risk Assessments."
The publication is the fifth in a series of information security guidelines intended to “establish a common foundation for information security across the federal government,” by harmonizing requirements for civilian, military and national defense networks.
NIST document 'brings it all together' on FISMA
Risk assessment identifies, prioritizes and estimates risks to an organization, its operations and its assets presented by an IT threat. A threat can create different levels of risk depending on its likelihood, the systems and operations affected, and the types of operations the systems perform. According to the guidelines, the assessment should be carried out at three tiers within the organization: the organizational level, mission or business process level, and the information system level.
At the system level, the assessment can be used to support implementation of the Risk Management Framework. Guidelines for implementing risk management were published earlier this year in SP 800-39.
Guidelines for risk management were included in the original version of SP 800-30, but this publication was superseded by SP 800-39, which focuses exclusively on risk management. The proposed revision of 800-30 expands the guidelines for risk assessment.
NIST called the publication of the risk management document earlier this year the capstone of its guidelines for implementing the Federal Information Security Management Act. NIST is responsible under FISMA for developing guidelines, standards and specifications for IT security, but the FISMA requirements do not apply to national security IT systems. This has resulted in separate but overlapping programs for government IT security. Civilian, military and intelligence agencies have been cooperating for two years to bring their information security policies into line with each other under the Joint Task Force Transformation Initiative.
A common foundation for information security is intended to provide the various government communities and their contractors with more consistent ways to manage risks and to provide a basis for reciprocal acceptance of security authorization decisions and facilitate information sharing.
An interagency working group was formed under the task force in April 2009 by NIST, the Defense Department and the Director of National Intelligence to produce a unified information security framework, with NIST taking the lead and publishing guidance.
The four previous publications released by NIST as part of this effort are:
- SP 800-37, "Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach."
- SP 800-53, "Recommended Security Controls for Federal Information Systems and Organizations."
- SP 800-53A, "Guide for Assessing the Security Controls in Federal Information Systems and Organizations."
- SP 800-39, "Managing Information Security Risk."
The updated version of SP 800-30 will complete the series. Comments on the draft should be made by Sept. 19 to firstname.lastname@example.org.
William Jackson is freelance writer and the author of the CyberEye blog.