The new FISMA standards and guidelines changing the dynamic of information security for the federal government

The Federal Information Security Management Act (FISMA) of 2002 places significant requirements on federal agencies for the protection of information and information systems; and places significant requirements on the National Institute of Standards and Technology (NIST) to assist federal agencies to comply with FISMA. In response to this important legislation, NIST is leading the development of key information system security standards and guidelines as part of its FISMA Implementation Project (http://csrc.nist.gov/sec-cert/index.html). This high-priority project includes the development of security categorization standards; standards and guidelines for the specification, selection, and testing of security controls for information systems; guidelines for the certification review and accreditation of information systems; and guidelines for the continuous monitoring of controls to ensure they continue to operate as intended. This paper includes a discussion of NIST's FISMA risk management framework (RMF) and the suite of related standards and guidelines being developed by NlST to help federal agencies comply with FISMA requirements (i.e., the FISMA suite of documents). In addition, the paper discusses how agency systems will benefit from applying the FISMA RMF and why the FISMA RMF and the related suite of standards and guidelines should be of interest to other government sectors (e.g., DoD) and to the commercial sector