The Federal Information Security Management Act (FISMA) remains a cornerstone element of both the White House and congressional effort to link funding for IT systems directly to security compliance.  

But in the hurly burly of program and system development, the question inevitably arises: How do agencies make sure they are following FISMA  close enough to ensure that funds will be there at budget time?  

A key aspect of the FISMA movement was passed along to the National Institute of Standards and Technology when Congress mandated that NIST develop new Certification and Accreditation (C&A) guidelines via NIST Special Publication 800-37.

The C&A effort engages both program officials and agency CIOs to look beyond individual products and broach the system as a single entity, noted Ron Ross, Ph.D., the senior NIST official who leads the 800-37 C&A effort. At the end of the day, the NIST program guides agency officials as they “accredit” their systems for use “in an operational environment,” Ross said.

Speaking to an Energy department conference earlier this year, Ross called 800-37 a “last stop of sorts” along the pathway to FISMA compliance. The C&A program has been NIST’s number one IT security priority this year, he said. 

Ross will elaborate on the key elements of what he calls the “mission-focused” C&A process at the Federal Information Assurance Conference in College Park, Md. on Oct. 21, during a 9:30 a.m. “IA Legislation and Policy” conference session. 

The 800-37 guidelines have undergone some revisions as they were crafted by NIST. A year ago, NIST was rolling more risk management issues into the C&A guidelines but officials have since created separation between the two disciplines.  

The certification testing as advised within 800-37 focuses more tightly on vulnerabilities. The ‘C’ here is mainly related to a robust testing scheme in which exacting documentation is developed and a new network of independent testing labs is formed, Ross said. 

The ‘A’ for accreditation could as easily be for “accountability,” creating the process by which officials take responsibility for the security compliance of their systems. 

Ross will also lead a FIAC half-day tutorial (Oct 23) on how the C&A process is aligned to meet new standards for categorizing system security (FIPS-199) and new guidelines for selecting and specifying security controls (Special Pub. 800-53).  

Ultimately, all of NIST’s IA and IT security programs give IT managers a way of reducing “residual risk and residual vulnerabilities to tolerable levels,” Ross has said. Several years ago the National Security Agency determined that about 87 percent of all system vulnerabilities occurred at the basic configuration management level, he noted.

 For more information about the FIAC conference, visit www.fbcinc.com/fiac.

For more information about NIST IT security programs, visit

http://csrc.nist.gov.

Article by PSI Senior Editor Robert Green. Green has covered government for more than 15 years and has been focusing on security issues since 1998. You can reach him at robertgreen@pubsector.net. .

Photo Courtesy of NIST and Kathie Koenig-Simon