At 5:24 PM -0400 7/5/06, Earl Crane wrote:
> Larry,
>
> I'd like to include a clarification to your statement. You are correct
> that NIST 800-53 provides the controls, and FIPS 200 states that all
> federal systems must follow those controls by March 2007.
>
> However, this does not mean that federal systems are not currently
> complying with NIST 800-53. In fact, far from it, which is why we hear
> so much about the FISMA scorecard.
But the FY 2005 "FISMA scorecard" was based on:
Whether federal systems have been inventoried
Whether federal systems have been assigned an impact level
Whether federal systems have been tested against 800-53
The FY 2005 "FISMA scorecard" was _not_ based on whether the systems
_passed_ the test against 800-53.
The rules for agency reports toward the FY 2006 "FISMA scorecard" have
not yet been released by OMB, and compared to last year's schedule, they
are overdue.
--
Larry Kilgallen
> Larry,
>
> I'd like to include a clarification to your statement. You are correct
> that NIST 800-53 provides the controls, and FIPS 200 states that all
> federal systems must follow those controls by March 2007.
>
> However, this does not mean that federal systems are not currently
> complying with NIST 800-53. In fact, far from it, which is why we hear
> so much about the FISMA scorecard.
But the FY 2005 "FISMA scorecard" was based on:
Whether federal systems have been inventoried
Whether federal systems have been assigned an impact level
Whether federal systems have been tested against 800-53
The FY 2005 "FISMA scorecard" was _not_ based on whether the systems
_passed_ the test against 800-53.
http://www.whitehouse.gov/omb/memoranda/fy2005/m05-15.html
The rules for agency reports toward the FY 2006 "FISMA scorecard" have
not yet been released by OMB, and compared to last year's schedule, they
are overdue.
--
Larry Kilgallen
[ reply ]