NIST announces FISMA Phase II

The National Institute of Standards and Technology is drafting a set of qualifications that agencies and contractors must meet before they can assess the security of federal information systems. The Federal Information Security Management Act of 2002 requires annual security assessments.

Establishing qualifications for those who conduct security assessments marks a new phase in the implementation of FISMA, NIST officials said this week. In the first phase, NIST was preoccupied with creating information security standards and guidelines for federal agencies. In the next phase, NIST’s technical managers will try to create a set of minimum qualifications and procedural standards for anyone who conducts FISMA security assessments. The purpose is to ensure that federal agencies receive consistent and competent assessments.

NIST expects to publish those qualifications in draft form in late June.

“They’re getting into uncharted territory,” said Lynn McNulty, director of government affairs at the International Information Systems Security Certification Consortium. “They’re getting involved with a credentialing program that involves something other than software and hardware modules.”

NIST held a public workshop April 26 to solicit ideas about to create a pool of service providers qualified to provide security assessments using FISMA standards and guidelines.