The National Institute of Standards and Technology
The National Institute of Standards and Technology (NIST) has been responsible for cybersecurity and various iterations of risk management guidance for more than 50 years. Following the passage of the Federal Information Security Modernization Act (FISMA) of 2002, Congress tasked NIST with developing security standards and guidelines for all Federal systems, excluding classified systems. NIST maintains a thorough and approachable history of cybersecurity including information about the evolution of the Risk Management Framework that outlines their goals and strategies in technical security.
NIST has published a library of software risk management guides containing 24 core documents.1 In addition, the Office of the Federal Chief Information Officer (OFCIO) publishes circular A-130, “Management of Information as a Strategic Resource.” This collection of documents governs all aspects of Federal information security (see Appendix B).
The Framework is primarily focused on protecting data rather than securing systems. This sets it apart from many other approaches to technical security, which see a system’s functional availability as a primary objective. The Framework encourages systems to stop functioning rather than lose data (failing closed), whereas many modern software developers prioritize the continued availability of a product or service, even when a system is in distress or a breach has occurred (failing open). There are advantages and disadvantages to both approaches but this fundamental difference is a basis for significant tension when applying the Framework to more recent software systems.
Chief Information Officers (CIOs) in each Federal agency create tailored authorization procedures that govern the real-world implementation of the Framework. Authorizing Officials (AOs) in each agency use their agency-specific authorization policy and NIST publications to manage security and issue every system its own Authority to Operate (ATO). An AO is responsible for understanding each document in the library, its role in the authorization process, and how to implement them. In theory, they should read and reference the documents for guidance and apply them consistently across their organization and throughout the government.
-
While some practitioners may argue that it is possible to navigate the authorization process with fewer publications (and some may reference additional documents), NIST has published these 24 documents specifically to support software security management. ↩