Certification and Accreditation Process for Federal Information Systems Transformed

A revised draft publication on computer security guidance issued by the National Institute of Standards and Technology (NIST) is focused on transforming the episodic information system certification and accreditation processes at federal agencies by reinforcing and specifying procedures for continuous monitoring and updating. The new procedures will enable organizations to respond more rapidly to cyber security threats, according to NIST computer security experts. Periodic certification and accreditation is required by the Office of Management and Budget in conjunction with additional security requirements described in the Federal Information Security Management Act of 2002, known as FISMA.

The new document, "Special Publication 800-37 Revision 1," describes a Risk Management Framework that stresses security from an information system's initial design phase through implementation and daily operations. It places equal emphasis both on defining the correct set of security controls and on implementing them in a robust continuous monitoring process.

"The existing process can be likened to an automobile checkup every three years," says Ron Ross, lead author and FISMA implementation project leader. "The new approach requires regularly checking basic systems such as oil, tire pressure and the gas gauge to make sure that the check engine light does not go on."

SP 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, is the second in a series of publications produced by the Joint Task Force Transformation Initiative, which is a partnership of NIST, the Office of the Director of National Intelligence, the Department of Defense and the Committee on National Security Systems to develop a common information security framework for the federal government and its support contractors.

SP 800-37 Revision 1 relies on a six-step Risk Management Framework that provides greater emphasis on building security capabilities into information systems from the start by applying state-of-the-art management, operational, and technical security controls, using enhanced monitoring processes to provide ongoing situational awareness of the information system's security state, and understanding and accepting the risk to organizational operations and assets, individuals, other organizations and the nation from the use of information systems.

"Continuously monitoring systems allows managers to focus on managing risk—risk from the current threats and constant barrage of new cyber attacks being discovered that need a quick solution," Ross explains.

An initial public draft of SP 800-37 Revision 1 was published in August 2008. That draft was substantially modified after the Joint Task Force was created in 2009 to incorporate insights from NIST partners to reflect the information security needs of the entire federal government.

NIST SP 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach is open to public comment through Dec. 31, 2009. Comments should be sent to sec-cert [at] nist.gov (sec-cert[at]nist[dot]gov).

The final document is expected to be published in February 2010.

*The final document (dated February 2010) is now available.