NIST SP 800-137

From: Federal News Radio

EXCLUSIVE: OMB uses budget to set cyber deadlines

The Office of Management and Budget gave agency chief information officers marching orders to implement software to continuously monitor the security of their networks by the end of fiscal 2012.

This was just one of several governmentwide provisions in the administration’s annual IT budget passback guidance. Federal News Radio obtained exclusive details about the passback from multiple federal sources.

Federal chief information officer Vivek Kundra sent agency CIOs guidance as part of the 2012 budget request in December.

NIST’s revised FISMA implementation schedule omits publishing and requesting comment on a second public draft of their guidance document, SP 800-137: Information Security Continuous Monitoring for Federal Information Systems and Organizations.

The agency’s previous schedule called for the first public draft (1PD) of SP 800-137 to be released in November, a second public draft (2PD) to be released in Februarywith a final public draft (FPD) to be released in May and the final document to be published in June 2011.

The most recently revised schedule omits the second public draft and projects that the final public draft will be released in May with final document publication expected in August 2011.

From: GovInfo Security

Finding the Right Definition Would Help
January 10, 2011 – Bruce Brody

An Internet image search on “You’re doing it wrong” produces many funny images. Fortunately, I haven’t found one to depict the federal government’s approach to implementing continuous monitoring. But based on the way things are going, one is bound to appear soon, and it wouldn’t be funny.

For Immediate Release: January 5, 2011
Contact: Evelyn Brown

Two new draft publications from the National Institute of Standards and Technology (NIST) provide the groundwork for a three-tiered risk-management approach that encompasses computer security risk planning from the highest levels of management to the level of individual systems. The draft documents have been released for public comment.

Both publications are a part of NIST’s risk management guidelines, which have been developed in support of the Federal Information Security Management Act (FISMA), and adopted government wide to improve the security of government systems and information. Both call for upper-level management to understand that information security is a key component to mission-critical functions and that top managers need to manage information security risk in coordination with chief information officers, chief information security officers and system owners to meet the organization’s goals.