Larry,
I'd like to include a clarification to your statement. You
are correct
that NIST 800-53 provides the controls, and FIPS 200 states
that all
federal systems must follow those controls by March 2007.
However, this does not mean that federal systems are not
currently
complying with NIST 800-53. In fact, far from it, which is
why we hear
so much about the FISMA scorecard.
The Federal Information Security Management Act of 2002
(FISMA) states that:
"Each federal agency shall develop, document, and
implement an
agency-wide information security program to provide
information
security for the information and information systems that
support the
operations and assets of the agency, including those
provided or
managed by another agency, contractor, or other
source…"
Public Law 107-347 (Title III)
Federal Information Security Management Act of 2002
So while FIPS 200 is not yet enforcing NIST 800-53, there
are a number
of other regulations and directives that do require agencies
to follow
NIST 800-53 controls. The "go live" date of
March 2007 should have
little impact for agencies that are on top of their game and
currently
complying with FISMA.
However, we will of course hear a lot in the news come March
2007
about who complies and who doesn't, and who is scrambling
to catch up.
Mike – interesting observation that if getting a poor FISMA
report
can't kick an agency into compliance, maybe a mess of
class-action
court lawsuits will. Interesting to note that while the VA
laptop was
recovered, the VA is still in the spotlight for poor
security
practices – and will probably force some changes that will
make FIPS
200 compliance a little easier for them when March 2007
rolls around.
I'm curious to see how your theory works out, and expect
the VA's
security practices will improve due to this event.
http://www.pcwo
rld.com/news/article/0,aid,126093,00.asp#
Earl
On 7/5/06, ljknews <ljknews mac.com> wrote:
> At 7:26 PM -0500 6/29/06, Smith, Michael J. wrote:
>
> > An interesting component (you might say it's one
of the key complaints)
> > of each case is that they point to the agencies'
failing FISMA report
> > cards, saying that the government knew that the
security was inadequate,
> > but had failed since 2002 to fix the problem.
> >
> > So, my interesting observation for today is that,
with 2 agencies being
> > sued for their inadequate handling of personal
information, does this
> > mean that the private sector, through the legal
system, has found a way
> > to improve security where Clinger-Cohen and FISMA
have all had
> > shortcomings? While inside the government there
has always been the
> > threat of actions taken for being non-compliant
with these laws, there
> > are now direct and indirect financial burdens for
non-compliance.
>
> But to date (at least in the non-DoD area) there is no
FISMA requirement
> that systems be secured. FIPS 200 was signed on March
9, 2006 and it
> requires that agencies comply with NIST Special
Publication 800-53 by
> one year from that date. Until then, no problem 
> --
> Larry Kilgallen
>
--
Earl Crane, MISM, CISM, CISSP, MCSE
|