[ISN] Report: NIST's Cybersecurity Guidelines Aren't Enough

From: InfoSec News <alerts_at_private>
Date: Fri, 14 Aug 2009 04:22:52 -0500 (CDT)
http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=219300112

By J. Nicholas Hoover
InformationWeek
August 13, 2009 

A set of cybersecurity controls recently recommended by the National 
Institute of Standards and Technology for federal agencies doesn't go 
far enough, according to a watchdog group.

In a preliminary report, the Cyber Secure Institute, an organization 
headed by former government officials and IT executives, calls NIST's 
Recommended Security Controls for Federal Information Systems and 
Organizations, also known as Special Publication 800-53, "an important 
step forward," but finds that the publication raises "a number of 
serious questions."

NIST published a final version of those security controls, which were 
developed with input from civilian, defense, and intelligence agencies, 
earlier this month. The 236-page publication provides guidelines for 
federal agencies to meet under the Federal Information Systems 
Management Act, or FISMA.

Among the shortcomings identified by the Cyber Secure Institute was 
NIST's classification system for assigning "impact" to government 
systems. NIST instructs agencies to determine if systems are low, 
moderate, or high impact and take certain security measures based on 
those assessments. The Cyber Secure Institute worries that low- and 
moderate-impact systems won't be adequately protected against 
"highly-skilled, highly-motivated and well-resourced" attackers.

[...]


________________________________________
Subscribe to InfoSec News
http://www.infosecnews.org
Received on Fri Aug 14 2009 - 02:22:52 PDT

This archive was generated by hypermail 2.2.0 : Fri Aug 14 2009 - 02:35:00 PDT