A key issue discussed on the second day of the regularly scheduled meeting of the Internet Security and Privacy Advisory Board (ISPAB), an expert advisory body established by Congress to advise NIST, the Secretary of Commerce and OMB, concerned revisions to Circular A-130, Management of Federal Information Resources. Revisions to Appendix III of the Circular, Security of Federal Automated Information Resources was the focus of discussions. The ISPAB received a presentation on possible revisions to A-130 from representatives of a highly experienced ad hoc group convened to provide OMB with guidance on A-130 information security issues.
Continuous monitoring was the first topic to be addressed with respect to A-130. There is broad consensus that A-130 needs to be updated with respect to continuous monitoring and the importance monitoring was reflected in discussions on other A-130 information security and privacy issues. The Board’s discussions made clear that one reason that continuous montioring is important is that it drives people to change and provides the information needed to guide those changes. Continous Monitoring allows organizations to move away from a compliance-based paradigm (checklist) to strategies focused on risk management and mitigation.
The basic continuous monitoring issue which the ad hoc A-130 advisory group is working on is what does continuous monitoring mean today versus what it will mean in five to ten years. The goals for the revisions to the information security portion of A-130 include bringing it up to date and ensuring that it is flexible enough to accomodate changes in technology.
For more information on the presentation to the ISPAB on revising A-130, please see Updating OMB Circular A-130 Management of Federal Information Resources on FISMA Focus.