http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=219300112 By J. Nicholas Hoover InformationWeek August 13, 2009 A set of cybersecurity controls recently recommended by the National Institute of Standards and Technology for federal agencies doesn't go far enough, according to a watchdog group. In a preliminary report, the Cyber Secure Institute, an organization headed by former government officials and IT executives, calls NIST's Recommended Security Controls for Federal Information Systems and Organizations, also known as Special Publication 800-53, "an important step forward," but finds that the publication raises "a number of serious questions." NIST published a final version of those security controls, which were developed with input from civilian, defense, and intelligence agencies, earlier this month. The 236-page publication provides guidelines for federal agencies to meet under the Federal Information Systems Management Act, or FISMA. Among the shortcomings identified by the Cyber Secure Institute was NIST's classification system for assigning "impact" to government systems. NIST instructs agencies to determine if systems are low, moderate, or high impact and take certain security measures based on those assessments. The Cyber Secure Institute worries that low- and moderate-impact systems won't be adequately protected against "highly-skilled, highly-motivated and well-resourced" attackers. [...] ________________________________________ Subscribe to InfoSec News http://www.infosecnews.orgReceived on Fri Aug 14 2009 - 02:22:52 PDT
This archive was generated by hypermail 2.2.0 : Fri Aug 14 2009 - 02:35:00 PDT