The Computer Security Division (CSD) - (773)
The Computer Security Division Responds to the Federal Information Security Management Act of 2002
The E-Government Act [Public Law 107-347] passed by the 107th Congress and signed into law by the President in December 2002 recognized the importance of information security to the economic and national security interests of the United States. Title III of the E-Government Act, entitled the Federal Information Security Management Act of 2002 (FISMA), included duties and responsibilities for the Computer Security Division in Section 303 “National Institute of Standards and Technology.” Work to date includes:
- Provide assistance in using NIST guides to comply with FISMA – Information Technology Laboratory (ITL) Computer Security Bulletin Understanding the New NIST Standards and Guidelines Required by FISMA: How Three Mandated Documents are Changing the Dynamic of Information Security for the Federal Government (issued November 2004).
- (FY 2011): Issued 17 final NIST Special Publications (SPs) that provided management, operational, and technical security guidance in areas such as: Basic Input/Output System (BIOS) protection, cloud computing, configuration management, cryptography, industrial control system security, information security continuous monitoring,
key management, security automation, and virtualization. In addition, 19 draft SPs on a variety of topics, including: cloud computing, cryptographic key management, electronic authentication, personal identity verification, and risk assessments, were issued for public comment;
- Provide a specification for minimum security requirements for Federal information and information systems using a standardized, risk-based approach – Developed FIPS 200, Minimum Security Requirements for Federal Information and Information Systems (issued March 2006).
- Define minimum information security requirements (management, operational, and technical security controls) for information and information systems in each such category – Developed SP 800-53 Revision 3, Recommended Security Controls for Federal Information Systems and Organizations (issued August 2009).
- Identify methods for assessing effectiveness of security requirements - SP 800-53A Revision 1, Guide for Assessing the Security Controls in Federal Information Systems (issued June 2010).
- Bring the security planning process up to date with key standards and guidelines developed by NIST – SP 800-18 Revision 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans (issued February 2006).
- Provide assistance to Agencies and private sector – Conduct ongoing, substantial reimbursable and non-reimbursable assistance support, including many outreach efforts such as the Federal Information Systems Security Educators’ Association (FISSEA), the Federal Computer Security Program Managers’ Forum (FCSM Forum), the Small Business Corner, and the Program Review for Information Security Management Assistance (PRISMA).
- Evaluate security policies and technologies from the private sector and national security systems for potential Federal agency use – Host a growing repository of Federal agency security practices, public/private security practices, and security configuration checklists for IT products. In conjunction with the Government of Canada’s Communications Security Establishment, CSD leads the Cryptographic Module Validation Program (CMVP). The Common Criteria Evaluation and Validation Scheme (CCEVS) and CMVP facilitate security testing of IT products usable by the Federal government.
- Solicit recommendations of the Information Security and Privacy Advisory Board on draft standards and guidelines – Solicit recommendations of the Board regularly at quarterly meetings.
- Provide outreach, workshops, and briefings – Conduct ongoing awareness briefings and outreach to our customer community and beyond to ensure comprehension of guidance and awareness of planned and future activities. We also hold workshops to identify areas our customer community wishes addressed, and to scope guidance in a collaborative and open format.
- Satisfy annual NIST reporting requirement – Produce an annual report as a NIST Interagency Report (IR). The 2003--2011 Annual Reports are available via the Web (under the Annual Reports section) or upon request.