NIST to develop credentials for FISMA consultants

The National Institute of Standards and Technology has begun a project to develop a set of security credentials aimed at assessment providers.

The credentials build on NIST’s security and risk management guidance for the Federal Information Security Management Act.

Agencies typically hire contractors to help them certify and accredit their systems to meet FISMA requirements. As agencies move to a risk management approach, it is important that they be confident that the contractors they hire can adequately provide those services, said Ron Ross, NIST senior computer scientist.

“In essence, we’re going to be credentialing organizations to demonstrate their competence in applying everything that you see in NIST’s Risk Management Framework,” he said at an information assurance conference sponsored by Guidance Software on Nov. 29.

NIST released on Sept. 29 a draft document outlining provider requirements and customer responsibilities for the program, which Ross calls FISMA II.

NIST has developed standards and guidelines to move agencies toward a dynamic, risk management approach to FISMA, highlighted by continuous monitoring of security controls. The goal is to move away from what has been a paper exercise that documents an agency’s security state based on a snapshot in time.

In addition, NIST, the Office of the Director of National Intelligence and the Defense Department are working on converging security standards across government to encourage trust in each other’s systems and information sharing.

Besides setting a bar for security assessors, NIST also wants to develop a stronger and more competent cybersecurity workforce. NIST is developing a set of training modules for each of the standards and guidelines in its FISMA series, with the first module anticipated for next spring, Ross said.

Each module will include frequently asked questions; a crib sheet version of fundamentals, such as how to do security categorization or tailor security controls; and a detailed and comprehensive guide for each standard. He hopes to link it to the Information System Security Line of Business.

“These training modules will be developed at government expense, offer classes free of charge in the first couple of cycles to get the students and to give us feedback on how the training modules really are,” Ross said. After NIST makes some revisions to the modules, NIST will make them available to the public and private sectors.