HOT TOPICS >> Cloud computing | Cybersecurity | Gov 2.0 | Fiscal 2012 | Mobile | Transparency | GAO reports
AGENCY NEWS >> Defense | NASA | Homeland Security | NIST | OMB | Veterans Affairs | NARA | GSA
Latest News
Media Partner
Free Newsletter
FierceGovernmentIT tracks the latest technological developments in the U.S. government. Join more than 17,000 federal/state decision makers and IT executives who get FierceGovernmentIT via email. Sign up today!
About | View Sample | Privacy
Whitepapers
- IMPROVING THE MANAGEMENT OF FEDERAL GOVERNMENT IT ASSETS THROUGH BETTER COMMUNICATION WITH THE IT INDUSTRY
- The Top 4 Reasons Your Telecom Expense Management Provider Shouldn't Manage Your Wireless
- Cloud Computing: Threat or opportunity for VARs and MSPs? Special focus on cloud collaboration and messaging
- The E-discovery Toolbox: What you should look for in a unified e-discovery solution
- Inside the Federal Cloud: Master the Challenges, Seizing the Opportunities
- Virtual Game Changer
NIST: Continuous monitoring can lead to false sense of security
Continuous monitoring of information technology systems does not take the place of system security authorization, says a new FAQ posted to the National Institute of Standards and Technology's webpage on the Federal Information Security Management Act.
"Continuous monitoring in and of itself, does not provide a comprehensive, enterprise‐wide risk management approach," the FAQ states.
Office of Management and Budget guidance in Circular A-130 and the risk management concepts embedded in FISMA require that an authorizing official review and accept the risk of a system "on an ongoing basis," the FAQ states.
Critics of FISMA have pushed for the more continuous and automated monitoring of IT systems, often disapproving of the formal system risk assessment process known as certification and accreditation, calling it a paper-bound and irrelevant exercise.
NASA has told its system administrators that systems already certified and accredited to operate on the agency's network need not be recertified this fiscal year, unless an authorizing official requests it.
But, "continuous monitoring activities contribute to helping authorizing officials make better risk‐based decisions, but do not replace the security authorization process," the NIST FAQ states. Continuous monitoring can result in a false sense of security if the controls are weak of ineffective, the FAQ adds.
"Without the appropriate planning for security controls (preferably early in the system development life cycle) and the correct implementation of those controls, the value of continuous monitoring is greatly diminished," the FAQ states.
NIST is developing additional guidance on continuous monitoring that should be available sometime this summer.
For more:
- the NIST continuous monitoring FAQ (.pdf)
- the NASA memo on suspension of certification and accreditation activity (.pdf)
Related Articles:
House approves FISMA reform
NASA moves away from C&A on IT systems
Federal CISOs: Now give me money
SHARE WITH:
Home
| Subscribe | Advertise | Mobile Edition | RSS |
Privacy
| Site Map
| EditorsTHE FIERCEMARKETS NETWORKFierceEnergy | FierceSmartGrid | FierceFinance | FierceFinanceIT | FierceComplianceIT | FierceHealthcare | FierceHealthFinance | FierceHealthIT | Hospital Impact | FierceMobileHealthcare | FierceHealthPayer | FiercePracticeManagement | FierceEMR | FierceCIO | FierceCIO:TechWatch | FierceContentManagement | FierceMobileIT | FierceGovernmentIT | FierceGovernment | FierceHomelandSecurity | FierceBiotech | FierceBiotech Research | FiercePharma | FierceVaccines | FierceBiotechIT | FiercePharma Manufacturing | FierceMedicalDevices | FierceDrugDelivery | FierceIPTV | FierceOnlineVideo | FierceTelecom | FierceEnterpriseCommunications | FierceBroadbandWireless | FierceDeveloper | FierceMobileContent | FierceWireless | FierceWireless:Europe | FierceCable© 2011 FierceMarkets. All rights reserved. |
 |
