Center for Regulatory Effectiveness Advises Continuous Monitoring for NIST
From: DNSZone (http://dns.tmcnet.com)
By Neelam Malkani
Center for Regulatory Effectiveness, a regulatory watchdog founded and managed by former regulatory officials of the White House Office of Management and Budget, issued a draft of recommendations for NIST—The National Institute for Standards and Technology. The CRE emphasized the Adoption of Real Time Continuous Monitoring for Federal Cyber Security Operations.
In accordance with FISMA, NIST is responsible for developing standards, guidelines and associated methods and techniques for providing adequate information security for all agency operations and assets, excluding national security systems.
NIST works closely with federal agencies to improve their understanding and implementation of FISMA to protect their information and information systems and publishes standards and guidelines which provide the foundation for strong information security programs at agencies.
The Center for Regulatory Effectiveness emphasizes that if pending legislation were enacted, the FISMA standards could be mandated on some private sector information systems including those dealing with water supply, transportation, financial and nuclear control systems. For this reason it is imperative that NIST make the comments it receives available to the public. By making comments on the draft public, NIST would allow – and benefit from – interested parties being able to analyze, comment on, support and criticize the ideas.
Another recommendation by CRE is that NIST should include a “substantial equivalence” provision in the guidance document to enhance compliance flexibility while maintaining rigorous monitoring requirements. A substantial equivalence assurance process would be fully in keeping with FISMA which requires that NIST, in developing of standards and guidelines, to the maximum extent practicable.
One of the themes that run through CRE’s comments on the draft document is the need for greater specificity. For the guidance document to be a useful tool in improving cyber security, not simply serving as a pro forma guidance that can mean pretty much whatever a user wants it to mean, it needs to provide crisp, clear definitions and guidance.
Neelam Malkani is a TMCnet contributor. To read more of her articles, please visit her columnist page.