From: GovInfoSecurity.com
Abolishing the Triennial Security Reauthorization Rule
Old habits are hard to break, and a number of CIOs and CISOs have been slow to adopt a process to assure continuously the security of their agencies’ information system. A new NIST guide could help agencies in their transition from a 14-year-old requirement to reauthorize IT systems every three years.
The National Institute of Standards and Technology this week issued a 10-page guide, Supplemental Guidance on Ongoing Authorization: Transitioning to Near Real-Time Risk Management, which establishes processes U.S. federal agencies should follow to conduct continuous systems risk assessments and security authorizations.
“Agencies were a little bit hesitant to go off down that road of moving from the static, three-year process to the more dynamic one where they’re pretty much looking at risk in near real-time,” says NIST Fellow Ron Ross, one of the supplemental guide’s authors.
Leave a Reply