NIST prepares due diligence standards for cybersecurity
The National Institute of Standards and Technology is taking new steps to help federal agencies develop a more realistic approach to cybersecurity. In collaboration with the Defense Department and the Office of the Director of National Intelligence, NIST will create a common foundation for risk management, officials said.
Ron Ross, senior computer scientist at NIST, said that because agencies cannot avoid risk, officials should approach cybersecurity by weighing the consequences of a data breach on their agency’s mission. NIST is developing a foundation of standards and guidelines to help officials find a balance between protecting information systems and achieving their agencies’ missions.
“You’re not going to have the same answer across the federal government,” Ross said at an industry event sponsored by GTSI last month. “This is all about having to think about the problem.”
For about five years, agencies have been working to comply with the security provisions of the Federal Information Security Management Act.
“FISMA is good legislation, and we’re making outstanding progress in implementing these policies,” Ross said, but now agencies have to rethink how they fulfill those provisions.
“You’ve got to deploy a sufficient set of security controls to protect every mission that the system is supporting,” Ross said. “We’ve never before had a standard of security due diligence that we’ve been able to define and hold agencies to.” Security due diligence must be the foundation for sharing information securely with other agencies, he added.
Source:
http://www.fcw.com/article103704-09-10-07-Print
Comments