NIST.gov - Computer Security Division - Computer Security Resource Center: Via NIST.gov .

The Computer Security Division (CSD) - (893)

The Computer Security Division Responds to the Federal Information Security Management Act of 2002

The E-Government Act [Public Law 107-347] passed by the 107th Congress and signed into law by the President in December 2002 recognized the importance of information security to the economic and national security interests of the United States. Title III of the E-Government Act, entitled the Federal Information Security Management Act of 2002 (FISMA), included duties and responsibilities for the Computer Security Division in Section 303 “National Institute of Standards and Technology.”  Work to date includes:

• Provide assistance in using NIST guides to comply with FISMA – Information Technology Laboratory (ITL) Computer Security Bulletin Understanding the New NIST Standards and Guidelines Required by FISMA: How Three Mandated Documents are Changing the Dynamic of Information Security for the Federal Government  (issued November 2004).
• Provide a specification for minimum security requirements for Federal information and information systems using a standardized, risk-based approach – Developed FIPS 200, Minimum Security Requirements for Federal Information and Information Systems (issued March 2006).
• Define minimum information security requirements (management, operational, and technical security controls) for information and information systems in each such category – Developed SP 800-53, Recommended Security Controls for Federal Information Systems (revision 1 issued December 2006).
• Identify methods for assessing effectiveness of security requirements - SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems (second public draft issued April 2006).
• Bring the security planning process up to date with key standards and guidelines developed by NIST – SP 800-18 Revision 1, Guide for Developing Security Plans for Federal Information Systems (issued February 2006).
• Provide assistance to Agencies and private sector – Conduct ongoing, substantial reimbursable and non-reimbursable assistance support, including many outreach efforts such as the Federal Information Systems Security Educators’ Association (FISSEA), the Federal Computer Security Program Managers’ Forum (FCSM Forum), the Small Business Corner, and the Program Review for Information Security Management Assistance (PRISMA).
• Evaluate security policies and technologies from the private sector and national security systems for potential Federal agency use – Host a growing repository of Federal agency security practices, public/private security practices, and security configuration checklists for IT products.  In conjunction with the Government of Canada’s Communications Security Establishment, CSD leads the Cryptographic Module Validation Program (CMVP).  The Common Criteria Evaluation and Validation Scheme (CCEVS) and CMVP facilitate security testing of IT products usable by the Federal government.
• Solicit recommendations of the Information Security and Privacy Advisory Board on draft standards and guidelines – Solicit recommendations of the Board regularly at quarterly meetings.
• Provide outreach, workshops, and briefings – Conduct ongoing awareness briefings and outreach to our customer community and beyond to ensure comprehension of guidance and awareness of planned and future activities.  We also hold workshops to identify areas our customer community wishes addressed, and to scope guidance in a collaborative and open format.
• Satisfy annual NIST reporting requirement – Produce an annual report as a NIST Interagency Report (IR).  The 2003--2006 Annual Reports are available via the Web or upon request.

Read Original Article (Via NIST.gov .)