National Journal MagazineNational Journal MagazineThe HotlineCongress Daily
Search Congress Daily
  
Advanced Search
About CD
Contacts
Reprints
Privacy Policy

Search








Recent Entries


Categories


Archives


National Journal Blogs

-- The Blogometer
-- Hotline On Call
-- Tech Policy Pod

New Media

-- Center for Citizen Media
-- CyberJournalist.net
-- E-Media Tidbits
-- NewAssignment.net
-- PressThink
-- Social Media

Online Politics

-- IPDI
-- Personal Democracy Forum
-- Politics And Technology
-- PrezVid
-- TechPresident

Tech Policy

-- The 463: Inside Tech Policy
-- Broadband Hub
-- Capitol Valley
-- CDT's PolicyBeta
-- Cisco High-Tech Policy Blog
-- Computing Research Policy Blog
-- Deep Links
-- Freedom To Tinker
-- Google Public Policy Blog
-- Homeland Security Watch
-- IPcentral
-- Information Policy Action Committee
-- Lawrence Lessig
-- PFF Blog
-- Politech
-- The Precursor Blog
-- Public Knowledge
-- Save The Internet
-- TIA TeleCommunities
-- The Technology Liberation Front
-- Tech Policy Summit
-- U.S. Association for Computing Machinery
-- Verizon PoliBlog




Powered by
Movable Type 3.2


« MPAA Chief's Net Neutrality Remarks Criticized | Main | ValueClick To Pay $2.9 Mil In FTC Case »

NIST Reacts To FISMA Allegations

An article I wrote in CongressDaily on March 11 previewing a Senate Homeland Security and Governmental Affairs Federal Financial Management Subcommittee hearing about the Federal Information Security Management Act struck a nerve over at the National Institute of Standards and Technology -- big time.

In the story, Alan Paller, director of research at the SANS Institute, a nonprofit cybersecurity research group, blamed NIST for some of FISMA's failings. He said NIST's guidelines are too broad and he claimed that "the people at NIST, if they ever ran IT systems, it's been decades."

Since the piece was written on a tight deadline, I was unable to reach out to get a reaction from NIST at the time, so Ron Ross, leader of NIST's FISMA implementation project offered up some thoughts on Monday (per my suggestion). So, here goes...

The NIST team includes plenty of private and public sector expertise in development and testing of IT products and systems, and conducting simulated attacks on networks, he wrote. They also work closely with those who run NIST's own IT systems "to get feedback on the practicality of proposed safeguards and countermeasures."

"To complement this broad base of technical and management expertise, NIST employs a comprehensive public review process on every FISMA standard and guideline. In most cases, the FISMA security publications go through three full public vetting cycles," Ross wrote, noting that NIST also seeks input from security and IT professionals nationwide.

His bottom line: "The process employed by NIST to develop FISMA standards and guidelines does work. FISMA security publications are widely accepted and appreciated by federal IT managers and security professionals, and are in fact frequently adopted on a voluntary basis by many organizations in the private sector."

Posted by Andrew on March 17, 2008 09:26 PM | Permalink

Trackback Pings

TrackBack URL for this entry:
http://amcblog.nationaljournal.com/cgi-bin/mt/mt-tb.cgi/3912

Comments


Post a Comment




Remember Me?

(you may use HTML tags for style)

By using this Service you agree not to post material that is obscene, harassing, defamatory, or otherwise objectionable. Although Tech Daily Dose does not monitor comments posted to this site (and has no obligation to), it reserves the right to delete, edit, or move any material that it deems to be in violation of this rule.