Risk Guidance Needn't be So Literal
Agencies Urged to Follow Spirit of NIST RecommendationsNational Institute of Standards and Technology guidance isn't gospel, it's - well - guidance.
A recent report prepared by the Department of Homeland Security's National Cybersecurity Division entitled FY 2012 Inspector General Federal Information Security Management Act Reporting Metrics says there should be flexibility in how agencies apply the guidance.
The report's authors cite NIST SP 800-53R3 (Recommended Security Controls for Federal Information Systems and Organizations) itself in making that point (emphasis added by DHS authors):
"When assessing federal organization compliance with NIST Special Publications, inspectors general, evaluators, auditors and assessors, should consider the intent of the security concepts and principles articulated within the specific guidance document and how the agency applied the guidance in the context of its mission/business responsibilities, operational environment and unique organizational conditions."
DHS encourages auditors to use a type of risk analysis in NIST 800-39 (Managing Information Security Risk) to evaluate findings and compare those to existing organization priorities and administration priorities and key FISMA metrics identified in the chief-information-officer metrics to determine areas of weakness and highlight the significance of security issues.
"This is not to suggest that OIGs (Offices of Inspector General) should conduct their own full risk analysis," the DHS report says. "Rather, it is expected that the organization's own risk analysis be evaluated by the OIG to assess how the organization applied 800-39 guidance in the context of it mission, responsibilities and environment."
Nearly every information security report emanating from agencies' inspectors general as well as the Government Accountability Office cites vulnerabilities that place IT at risk. But that doesn't necessarily mean that identified flaws will results in a breach or compromise. That's a point made by John Gilligan, the former Air Force and Energy Department CIO (see Should IG Reports be Treated as Gospel?), who has complained that security audits aren't always placed in context.
It's heartening to see DHS guide encouraging auditors to provide context in evaluating the security stature of agencies' information technology. The end results of these audits aren't to place blame, but to help make government IT more secure.