NIST Publications Offer FISMA Compliance Guidance

By Stacey McDaniel

The federal government has become increasingly reliant on technology and the Internet for its operations; as a result, maintaining a secure cyberspace has become essential to our homeland and national security. Recognizing this, the government has taken some important steps to address the need for stronger information security practices within the government and its associated organizations. Two examples can be seen in the Federal Information Security Management Act (FISMA) security requirements, and the increased number of National Institute of Standards and Technology (NIST) publications addressing best security practices.

FISMA sets requirements

FISMA requires every federal agency, as well as any organization whose information systems possess or make use of federal information, to develop, document, and implement an agency-wide risk-based information security program. Additionally, FISMA requires periodic testing and evaluation of the effectiveness of the information security policies, procedures, and practices that are in place. While FISMA lays out the required elements of the security program, it doesn't set any security benchmarks, or provide much in the way of guidance on how to achieve these requirements. That's where NIST comes in.

NIST provides guidance

NIST is a non-regulatory federal agency within the U.S. Commerce Department's Technology Administration. For more than two decades, it has produced a number of publications that provide computer security guidance for federal agencies. NIST has always taken the evolving nature of technology and new vulnerabilities into account to provide timely advice, and now FISMA has called upon it to step up and establish some important standards and practices for government security.

Official publications

FISMA has tasked NIST with developing a series of official publications relating to information system security standards and guidelines that provide the following:

• Standards to be used by federal agencies to categorize all information and information systems collected or maintained by, or on behalf of, each agency based on the objectives of providing appropriate levels of information security according to a range of risk levels;
  
  
• Guidelines for the types of information and information systems to be included in each category; and
  
  
• Minimum information security requirements (i.e., management, operational, and technical controls), for information and information systems in each category.

Publications to address FISMA

"Security Considerations in the Information Systems Development Life Cycle" was the first set of NIST guidelines mandated under FISMA. This publication outlines ways to link different types of federal information and systems, and then assign levels to the risks each faces. It also defines three security areas for information and systems (confidentiality, integrity, and availability), and then identifies three levels of potential impact on organizations or individuals if any of those security areas are compromised.

Another publication developed in accordance with FISMA is "Standards for the Security Categorization of Federal Information and Information Systems." It sets security categorization standards; standards and guidelines for the specification, selection, and testing of security controls for information systems; and guidelines for the certification review and accreditation of information systems.

In January 2004, NIST published "Computer Security Incident Handling Guide." This guide is intended to help both established and newly formed incident response teams respond effectively and efficiently to a variety of incidents. More specifically, it discusses organizing a computer security incident response capability, establishing incident response policies and procedures, structuring an incident response team, and handling incidents -- from initial preparation through the post-incident "lessons learned" phase. And, as the title suggests, it discusses handling a variety of incidents, such as denial of service, unauthorized access, malicious code, and inappropriate usage. Readers will also find the guide has such helpful resources as security checklists and FAQs. Many computer security experts have lauded NIST's Incident Handling Guide as a comprehensive "must read" document for every information security professional, whether in the public or private sector.

Other NIST guidelines released in 2004 include "Recommendation for Electronic Authentication," "Engineering Principles for Information Technology Security (A Baseline for Achieving Security),"and "Mapping Types of Information and Information Systems to Security Categories."

As the world's largest consumer of information technology, the federal government has finally made securing that technology an important issue. The NIST publications will play a critical role as federal agencies determine the level of security needed for their information systems in order to be FISMA-compliant. NIST breaks down the security standards and required measures into understandable and manageable terms -- it is up to IT managers in the government to consult these important publications as they work on building an effective security program.

Stacey McDaniel has been writing about high-tech issues for more than six years.