NIST Issues Risk Management Guidance

The federal agency for implementing technology standards has published a guide to help government organizations weave overall objectives and goals into the fabric of their security strategy.

The National Institute of Standards and Technology (NIST) has published "Managing Information Security Risk: Organization, Mission, and Information System View" to support the Federal Information Security Management Act (FISMA), according to the institute. FISMA is NIST's security standard for IT products and systems deployed in the federal government and a key requirement for IT products that agencies consider using in their IT environments.

NIST's new publication, written by NIST fellow Ron Ross with several others, introduces a holistic approach to risk management rather than merely focusing on its IT aspect, a narrow scope that agencies traditionally have followed, according to NIST.

The publication instead asks organizations to consider its overall missions and business functions first when they consider risk-management and security. They are then encouraged to work from there to integrate security into information systems as well, according to NIST.

The goal of this approach is to make sure that agencies' decisions about security -- at the organization, individual, partnership, and even national level -- are driven by strategic investments rather than IT interests or investments.

It also is meant to encourage organizations to build more secure systems that help their leaders understand the threats that exist beyond a mere IT level by the "ever-increasing use of, and dependence on, information technology, and network connectivity," Ross said in a statement.

The recently published guide is the fourth in a series of risk management and IT security guidelines that the Joint Task Force Transformation Initiative -- a joint partnership between NIST, the Department of Defense, the Intelligence Community coalition, and the Committee on National Security Systems -- has published to help federal agencies build more secure IT systems.

The initiative's goal is to address the security challenges of both the federal government and U.S. critical infrastructure. The Secretary of Defense, the director of national intelligence, and the Secretary of Commerce lead the initiative.

Cybersecurity -- both internally and externally -- is a chief concern of the federal government under the Obama administration, which has directed a number of agencies to address the broader issue as well as each agency to shore up security within its own organization.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.