laws are applicable, understanding the applicable laws and then finding the assistance in fulfilling the requirements dictated under those laws. As it currently stands NIST is charged with designing the guidelines and providing the assistance to agencies. Once the full five guidelines are released agencies will have in their hands a wealth of information and tools in assisting them with not only C&A but the laws themselves.
It will be up to the agencies how they use these guidelines and address them in response to their contractors. And while they provide the means for consistency and repeatability across and within agencies there is still work to be done. Efforts need to be made to answer the question of communication between contractors. The issue of sharing proprietary security information between agency and contractors needs to be assessed; additionally, FISMA is still very young and needs to be rigorously evaluated. In the coming months, agencies, their programs, and their contractors will be going through the C&A process and most will be going through it for the first time. This process will create many questions and issues and will, in turn, require the guidelines and perhaps even the laws requiring the guidelines to be re-evaluated. Security holes in systems will no doubt be identified and need to be dealt with; this will cost money.
The original E-Government bill in 2001 called for $100 million over 3 years, however, OMB only received $5 million for 2003 and will only receive $5 million for 200449. It remains to be seen whether this will be enough for the government and does not consider the implications to changes in security for contractors and then in turn the increase in costs of using those contractors. While this is far outside of the scope of this document, it is nonetheless worth noting when understanding the federal government’s challenges in living up to the requirements of and the legislation aimed at managing IT security.
© SANS Institute 2004, Author retains full rights.
49 Washington Post – “No Stellar E-Gov Funding” - http://www.washingtonpost.com/wp- dyn/articles/A60315-2003Sep11.html
© SANS Institute 2004,
As part of the Information Security Reading Room
14 Author retains full rights.