The FISMA Focus IPD

From: NIST

NIST Special Publication 800-39, Integrated Enterprise-Wide Risk Management: Organization, Mission, and Information System View, is the fourth in the series of risk management and information security guidelines being developed by the Joint Task Force Transformation Initiative, a joint partnership among the Department of Defense, the Intelligence Community, NIST, and the Committee on National Security Systems. The partnership, under the leadership of the Secretary of Defense, the Director of National Intelligence, and the Secretary of Commerce continues to collaborate on the development of a unified information security framework for the federal government to address the challenges of protecting federal information and information systems as well as the Nation’s critical information infrastructure.

The final public draft of Special Publication 800-39 introduces a three-tiered risk management approach that allows organizations to focus, initially, on establishing an enterprise-wide risk management strategy as part of a mature governance structure involving senior leaders/executives and a robust risk executive (function). The risk management strategy addresses some of the fundamental issues that organizations face in how risk is assessed, responded to, and monitored over time in the context of critical missions and business functions. The strategic focus of the risk management strategy allows organizations to influence the design of key mission and business processes—making these processes risk aware. Risk-aware mission/business processes drive enterprise architecture decisions and facilitate the development and implementation of effective information security architectures that provide roadmaps for allocating safeguards and countermeasures to information systems and the environments in which those systems operate.

The multitiered risk management approach (moving from organization to missions to systems) ensures that strategic considerations (including top-level organizational goals and objectives), drive investment and operational decisions with regard to managing risk to organizational operations and assets, individuals, other organizations, and the Nation. This type of risk-based decision making is especially important with respect to how organizations address advanced persistent threats which have the potential through sophisticated cyber attacks, to degrade or debilitate federal information systems supporting the critical applications and operations of the federal government.

The risk management approach described in this publication is supported by a series of security standards and guidelines necessary for managing information security risk. In particular, the Special Publications developed by the Joint Task Force Transformation Initiative supporting the unified information security framework for the federal government include:           

• Special Publication 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach;
• Special Publication 800-53, Recommended Security Controls for Federal Information Systems and Organizations;
• Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations; and
• Draft Special Publication 800-30, Guide for Conducting Risk Assessments.

SP 800-39 supersedes the original SP 800-30 as the source for guidance on risk management. SP 800-30 is being revised to provide guidance on risk assessment as a supporting document to SP 800-39 and is projected for final publication in 2011.

The final comment period for Special Publication 800-39 is December 14, 2010 to January 25, 2011.  Please send comments to sec-cert@nist.gov.