The National Institute of Standards and Technology (“NIST”) released on August 15, 2017 its proposed update to Special Publication (“SP”) 800-53. NIST SP 800-53, which was last revised in 2014, provides information security standards and guidelines, including baseline control requirements, for implementation on federal information systems under the Federal Information Systems Management Act of 2002 (“FISMA”). The revised version will still apply only to federal systems when finalized, but one of the stated objectives of the revised version is to make the cybersecurity and privacy standards and guidelines accessible to non-federal and private sector organizations for voluntary use on their systems. 
Continue Reading NIST Releases Fifth Revision of Special Publication 800-53

On December 18, 2014, President Obama signed a bill reforming the Federal Information Security Management Act of 2002 (“FISMA”). The new law updates and modernizes FISMA to provide a leadership role for the Department of Homeland Security, include security incident reporting requirements, and other key changes.

Background:  FISMA was originally passed in 2002 to provide a framework for the development and maintenance of minimum security controls to protect federal information systems. FISMA charged the Director of the Office of Management and Budget (“OMB”) with oversight of agency information security policies and practices.

Changes:  The newly signed law, the “Federal Information Security Modernization Act of 2014” (FISMA 2014”), makes several key changes to FISMA.

First, the law authorizes the Secretary of the Department of Homeland Security (“DHS”) to assist the OMB Director in administering the implementation of agency information and security practices for federal information systems. Among the Secretary’s responsibilities are convening meetings with senior agency officials, coordinating government-wide efforts for information security, consulting with the Director of the National Institute of Standards and Technology (“NIST”), and providing operational and technical assistance to agencies. Perhaps most importantly, the Secretary is tasked with developing and overseeing the implementation of “binding operational directives” to agencies to implement policies, principles, standards, and guidelines developed by the OMB Director. “Binding operational directives” are defined in FISMA 2014 as a “compulsory direction” to an agency “for the purposes of safeguarding Federal information and information systems from a known or reasonably suspected information security threat, vulnerability or risk.”

This delegation of responsibility is likely related to another new law codifying DHS’s cybersecurity role, and authorizing a cybersecurity information-sharing hub, the National Cybersecurity and Communications Integrations Center.
Continue Reading FISMA Updated and Modernized