NIST invites comments on important FISMA-related document

Information technology is the engine that drives the U.S. economy — indeed, it drives all advanced economies. It allows organizations to carry out their missions and business operations more efficiently and effectively. These efficiencies come with a cost, however, becasue along with their power and usefulness, information systems introduce man-made and natural risks into the operations of organizations. These threat may compromise these organizations’ mission, operations, and reputation. In order to provide guidelines for addressing these potential threats, the National Institute of Standards and Technology (NIST) has issued a draft of Special Publication 800-39, titled “Managing Risk from Information Systems: An Organizational Perspective,” for public comment. Risk management is a balancing act requiring explicit management decisions addressing the trade off between, on the one hand, the utility and convenience of modern information systems and, on the other hand, the potential for serious harm if these system are misused. NIST’s new guide is intended for individuals ranging from agency heads to system administrators, and it outlines a top-level process for building and implementing a technically sound and effective information security program within an organization. It ties together different NIST computer security documents and when finalized, it will become the flagship document in a series of NIST documents related to FISMA, the Federal Information Security Management Act.

As with all NIST Special Publications, the public review process is an integral part of the document’s development. The public comment period for the document is 29 October-14 December 2007.