From: DNSZone (http://dns.tmcnet.com)

By Neelam Malkani

Center for Regulatory Effectiveness, a regulatory watchdog founded and managed by former regulatory officials of the White House Office of Management and Budget, issued a draft of recommendations for NIST—The National Institute for Standards and Technology. The CRE emphasized the Adoption of Real Time Continuous Monitoring for Federal Cyber Security Operations.

NIST, A little known agency in the Department of Commerce, is working on an issue of critical importance developing standards to protect the federal information technology infrastructure from cyber-attacks as required by FISMA –Federal Information Security Management Act.

In accordance with FISMA, NIST is responsible for developing standards, guidelines and associated methods and techniques for providing adequate information security for all agency operations and assets, excluding national security systems.

NIST works closely with federal agencies to improve their understanding and implementation of FISMA to protect their information and information systems and publishes standards and guidelines which provide the foundation for strong information security programs at agencies.

The  Center  for Regulatory Effectiveness  emphasizes that  if pending legislation were enacted, the FISMA   standards  could be  mandated on some  private sector information systems  including those dealing with  water supply, transportation, financial  and nuclear control systems.  For this reason it is imperative that NIST make the comments it receives available to the public. By making comments on the draft public, NIST would allow – and benefit from – interested parties being able to analyze, comment on, support and criticize the ideas.

Another recommendation by CRE is that NIST should include a “substantial equivalence” provision in the guidance document to enhance compliance flexibility while maintaining rigorous monitoring requirements. A substantial equivalence assurance process would be fully in keeping with FISMA which requires that NIST, in developing of standards and guidelines, to the maximum extent practicable.

One of the themes that run through CRE’s comments on the draft document is the need for greater specificity. For the guidance document to be a useful tool in improving cyber security, not simply serving as a pro forma guidance that can mean pretty much whatever a user wants it to mean, it needs to provide crisp, clear definitions and guidance.
Neelam Malkani is a TMCnet contributor. To read more of her articles, please visit her columnist page.