Integrating IT Security into the Capital Planning and Investment Control Process
To assist federal agencies with effectively integrating security into the capital planning and investment control (CPIC) process, NIST has released Special Publication (SP) 800-65, Integrating IT Security into the Capital Planning and Investment Control Process. It provides tips and pointers in addition to a sample methodology, which can be used to address prioritization of security requirements in support of agency business units. The publication describes risk factors which should be considered in addressing security investments and links the current Office of Management and Budget (OMB) guidance in this area to the current Federal Information Security Management Act (FISMA) including the Plan of Action and Milestones (POA&M) process which all agencies are required to implement. NIST Special Publication 800-65 describes in detail the underpinning methodology which can be easily applied to address security requirement integration and prioritization into an agency's capital planning and investment planning process using well understood concepts related to the current FISMA framework and existing NIST standards and guidance. This ITL Bulletin summarizes the special publication.
capital planning and investment control, CPIC, FISMA, IT security investments
Integrating IT Security into the Capital Planning and Investment Control Process, ITL Bulletin, National Institute of Standards and Technology, Gaithersburg, MD, [online], https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=150213
(Accessed December 8, 2023)