The National Institute of Standards and Technology is providing agencies with the steps needed to transition to a more dynamic cybersecurity environment.
As agencies continue to move toward real-time risk management, NIST released additional guidance for updating the information system authorization process.
NIST’s supplemental guidance builds on the Office of Management and Budget’s information system continuous monitoring (ISCM) process, detailed in a November 2013 memo. In that guidance, OMB gave agencies until 2017 to implement this new approach to securing their systems and data.
OMB required NIST “to publish guidance establishing a process and criteria for federal agencies to conduct ongoing assessments and ongoing authorization.” NIST stated the “additional guidance amplifies current NIST guidance on security authorization and ongoing authorization (OA).”
Under this new approach, agencies can transition to ongoing authorization when they have implemented an information system continuous monitoring (ISCM) process, and the authorization officer (AO) approves it.
NIST defines ISCM as “maintaining an ongoing awareness of information security, vulnerabilities and threats to support organizational risk management decisions.”
Under the ISCM process, agencies should establish metrics that monitor and assess the effectiveness of security controls. Agencies also should analyze the data it has collected, respond to the analysis and report security threats or vulnerabilities.
Agencies must establish an ISCM process with “the appropriate rigor and assessment frequencies to support the organization’s mission/business requirements, risk tolerance and security categorization” to move toward effective OA, according to NIST.
Additionally, agencies must have a process that is time-driven or event-driven. In a time-driven format, ISCM processes include systems for notifying AOs when the pre-determined time for review and authorization of a program arrives. The frequency of review is determined by the organization to best suit the specific program’s level of risk.
For event-driven authorization frequency, NIST lays out possible triggers including, “new threat/vulnerability/impact information; an increased number of findings/weaknesses/deficiencies from the ISCM program; new missions/business requirements; a change in the authorizing official; a significant change in risk assessment findings; significant changes to the information system, common controls, or the environment of operation; or organizational thresholds being exceeded.”
“A full reauthorization may be necessary when an event occurs that produces risk above the acceptable organizational risk tolerance (e.g., a catastrophic breach/incident, failure of or significant problems with the ISCM program),” NIST said. In this situation, it may be necessary to alter parts of the ISCM process.
NIST also clarified the fact that implementing ongoing authorization does not change the actual process of authorization, but only “makes the process more efficient and produces more timely information for AOs to support risk-based decision making with regard to the information systems and common controls supporting organizational missions/business functions.”
The institute recommended organizations take the transition slowly. It suggested starting with individual segments or low-impact systems and expanding from there.
Stephanie Wasko is an intern with Federal News Radio.