Project Phases

Dept. of Commerce Building

CSRC Homepage

FISMA Homepage

FISMA NEWS

BACKGROUND

PROJECT PHASES

SCHEDULE

FAQs

RISK MANAGEMENT
FRAMEWORK

SECURITY
CATEGORIZATION

SECURITY
CONTROLS

ASSESSMENT
PROCEDURES

CERTIFICATION &
ACCREDITATION

SUPPORT TOOLS
& APPLICATIONS

INDUSTRIAL CONTROL
SYSTEM SECURITY

COMPLIANCE

LIBRARY

EVENTS

CONTACTS

MAILING
LIST

FISMA Implementation Project
Protecting the Nation's Critical Information Infrastructure

Project Phases
__________________

Phase I: Standards and Guidelines Development (2003-2007)

The first phase of the FISMA Implementation Project focuses on the development of the security standards and guidance required to effectively implement the provisions of the legislation. The implementation of the NIST standards and guidance will help agencies create robust information security programs and effectively manage risk to agency operations, agency assets, and individuals. The publications include:

FIPS Publication 199, Standards for Security Categorization of Federal Information and Information System (Completed)
FIPS Publication 200, Minimum Security Requirements for Federal Information and Federal Information Systems (Completed)
NIST Special Publication 800-30, Revision 1, Risk Assessment Guideline (Completion December 2007)
NIST Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems (Completed)
NIST Special Publication 800-39, NIST Risk Management Framework (Completion December 2007)
NIST Special Publication 800-53 Revision 1, Recommended Security Controls for Federal Information Systems (Completed)
NIST Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems (Completion July 2007)
NIST Special Publication 800-59, Guide for Identifying an Information System as a National Security System (Completed)
NIST Special Publication 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories (Completed)

Phase II: Organizational Credentialing Program (2007-2009)

The second phase of the FISMA Implementation Project will focus on the development of a program for credentialing public and private sector organizations to provide security assessment services for federal agencies. The security services involve the comprehensive assessment of the management, operational, and technical security controls in federal information systems to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

Organizations that participate in the credentialing program can demonstrate competence in the application of the NIST security standards and guidelines. Developing a network of credentialed organizations with demonstrated competence in the provision of security assessment services will give federal agencies greater confidence in the acquisition and use of such services. Public workshops will be conducted at the beginning of FISMA Phase II to discuss potential organizational credentialing models. Consult this web site for additional details and workshop schedule.

Phase III: Security Tool Validation Program (2008-2009)
Eliminated as a Separate Phase*

* The third phase of the FISMA Implementation Project will not be implemented as a separate phase but will be incorporated into Phase II and use existing IT product testing, evaluation, and validation programs.

Last updated: June 29, 2007
Page created: June 20, 2003
Disclaimer Notice & Privacy Policy
Comments and suggestions should go to: sec-cert@nist.gov
NIST is an Agency of the U.S. Commerce Department's Technology Administration