I'd like to include a clarification to your statement. You are correct
that NIST 800-53 provides the controls, and FIPS 200 states that all
federal systems must follow those controls by March 2007.
However, this does not mean that federal systems are not currently
complying with NIST 800-53. In fact, far from it, which is why we hear
so much about the FISMA scorecard.
The Federal Information Security Management Act of 2002 (FISMA) states that:
"Each federal agency shall develop, document, and implement an
agency-wide information security program to provide information
security for the information and information systems that support the
operations and assets of the agency, including those provided or
managed by another agency, contractor, or other source?"
Public Law 107-347 (Title III)
Federal Information Security Management Act of 2002
So while FIPS 200 is not yet enforcing NIST 800-53, there are a number
of other regulations and directives that do require agencies to follow
NIST 800-53 controls. The "go live" date of March 2007 should have
little impact for agencies that are on top of their game and currently
complying with FISMA.
However, we will of course hear a lot in the news come March 2007
about who complies and who doesn't, and who is scrambling to catch up.
Mike ? interesting observation that if getting a poor FISMA report
can't kick an agency into compliance, maybe a mess of class-action
court lawsuits will. Interesting to note that while the VA laptop was
recovered, the VA is still in the spotlight for poor security
practices ? and will probably force some changes that will make FIPS
200 compliance a little easier for them when March 2007 rolls around.
I'm curious to see how your theory works out, and expect the VA's
security practices will improve due to this event.
http://www.pcworld.com/news/article/0,aid,126093,00.asp#
Earl
On 7/5/06, ljknews <ljknews (at) mac (dot) com [email concealed]> wrote:
> At 7:26 PM -0500 6/29/06, Smith, Michael J. wrote:
>
> > An interesting component (you might say it's one of the key complaints)
> > of each case is that they point to the agencies' failing FISMA report
> > cards, saying that the government knew that the security was inadequate,
> > but had failed since 2002 to fix the problem.
> >
> > So, my interesting observation for today is that, with 2 agencies being
> > sued for their inadequate handling of personal information, does this
> > mean that the private sector, through the legal system, has found a way
> > to improve security where Clinger-Cohen and FISMA have all had
> > shortcomings? While inside the government there has always been the
> > threat of actions taken for being non-compliant with these laws, there
> > are now direct and indirect financial burdens for non-compliance.
>
> But to date (at least in the non-DoD area) there is no FISMA requirement
> that systems be secured. FIPS 200 was signed on March 9, 2006 and it
> requires that agencies comply with NIST Special Publication 800-53 by
> one year from that date. Until then, no problem :-)
> --
> Larry Kilgallen
>
I'd like to include a clarification to your statement. You are correct
that NIST 800-53 provides the controls, and FIPS 200 states that all
federal systems must follow those controls by March 2007.
However, this does not mean that federal systems are not currently
complying with NIST 800-53. In fact, far from it, which is why we hear
so much about the FISMA scorecard.
The Federal Information Security Management Act of 2002 (FISMA) states that:
"Each federal agency shall develop, document, and implement an
agency-wide information security program to provide information
security for the information and information systems that support the
operations and assets of the agency, including those provided or
managed by another agency, contractor, or other source?"
Public Law 107-347 (Title III)
Federal Information Security Management Act of 2002
So while FIPS 200 is not yet enforcing NIST 800-53, there are a number
of other regulations and directives that do require agencies to follow
NIST 800-53 controls. The "go live" date of March 2007 should have
little impact for agencies that are on top of their game and currently
complying with FISMA.
However, we will of course hear a lot in the news come March 2007
about who complies and who doesn't, and who is scrambling to catch up.
Mike ? interesting observation that if getting a poor FISMA report
can't kick an agency into compliance, maybe a mess of class-action
court lawsuits will. Interesting to note that while the VA laptop was
recovered, the VA is still in the spotlight for poor security
practices ? and will probably force some changes that will make FIPS
200 compliance a little easier for them when March 2007 rolls around.
I'm curious to see how your theory works out, and expect the VA's
security practices will improve due to this event.
http://www.pcworld.com/news/article/0,aid,126093,00.asp#
Earl
On 7/5/06, ljknews <ljknews (at) mac (dot) com [email concealed]> wrote:
> At 7:26 PM -0500 6/29/06, Smith, Michael J. wrote:
>
> > An interesting component (you might say it's one of the key complaints)
> > of each case is that they point to the agencies' failing FISMA report
> > cards, saying that the government knew that the security was inadequate,
> > but had failed since 2002 to fix the problem.
> >
> > So, my interesting observation for today is that, with 2 agencies being
> > sued for their inadequate handling of personal information, does this
> > mean that the private sector, through the legal system, has found a way
> > to improve security where Clinger-Cohen and FISMA have all had
> > shortcomings? While inside the government there has always been the
> > threat of actions taken for being non-compliant with these laws, there
> > are now direct and indirect financial burdens for non-compliance.
>
> But to date (at least in the non-DoD area) there is no FISMA requirement
> that systems be secured. FIPS 200 was signed on March 9, 2006 and it
> requires that agencies comply with NIST Special Publication 800-53 by
> one year from that date. Until then, no problem :-)
> --
> Larry Kilgallen
>
--
Earl Crane, MISM, CISM, CISSP, MCSE
[ reply ]