The National Institute of Standards and Technology (NIST) has released for public review and comment a major revision to its security certification and accreditation (C&A) guidelines for federal information systems. A substantial rewrite of the original document, the new Guide for Security Authorization of Federal Information Systems: A Security Lifecycle Approach, represents a significant step toward developing a common approach to information security across the Federal government, including civilian, defense, and intelligence agencies, according to NIST security experts.
When finalized, the revised guide will replace NIST Special Publication 800-37, which was issued in 2004 under the title Guide for the Security Certification and Accreditation of Federal Information Systems. Like the original, the revised guide maps out a basic framework for managing the risks that arise from the operation and use of federal information systems, the measures taken to address or reduce risk, and a formal managerial process for accepting known risks and granting—or withdrawing—authorization to operate information systems. The guide emphasizes the need to treat information security as a dynamic process, with established procedures to monitor, reassess and update security measures to maintain the authorized security state of an information system. The revised security authorization process is designed to be tightly integrated into enterprise architectures and ongoing system development life cycle processes, promotes the concept of near real-time risk management, capitalizes on investments in technology including automated support tools, and takes advantage of over three decades of lessons learned in previous approaches to certification and accreditation.
Since 2003, NIST has developed and published information security standards and guidelines under the Federal Information Security Management Act (FISMA). While the NIST methodology for analyzing, documenting and authorizing the security of information systems is widely followed by federal agencies operating non-national security systems, other frameworks have coexisted with it for national security systems, including the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) and the National Information Assurance Certification and Accreditation Process (NIACAP). This first revision to SP 800-37 is the result of an interagency effort that is part of a C&A Transformation Initiative working toward a convergence of information security standards, guidelines and best practices across the government's civilian, defense and intelligence agencies. NIST is participating in this effort along with the Office of the Director of National Intelligence (DNI), the Department of Defense (DOD) and the Committee on National Security Systems (CNSS). Future updates to NIST FISMA publications will continue this convergence towards common standards and procedures.
Copies of the initial public draft of SP 800-37 Revision 1 are available from the NIST Computer Security Resource Center at http://csrc.nist.gov. NIST is requesting comments on the draft by Sept. 30, 2008.