(NIST: Gaithersburg, Maryland) -- The National Institute of Standards and Technology (NIST) is asking for public review and comment on a major revision to its security certification and accreditation guidelines for federal information systems. A substantial rewrite of the original document, the new “Guide for Security Authorization of Federal Information Systems: A Security Life Cycle Approach,” represents a significant step toward developing a common approach to information security across the Federal government, including civilian, defense, and intelligence agencies, according to NIST security experts.

When finalized, the revised guide will replace NIST Special Publication 800-37, which was issued in 2004 under the title “Guide for the Security Certification and Accreditation of Federal Information Systems.” Like the original, the revised guide maps out a basic framework for managing the risks that arise from the operation and use of federal information systems, the measures taken to address or reduce risk, and a formal managerial process for accepting known risks, and granting—or withdrawing—authorization to operate information systems. The guide emphasizes the need to treat information security as a dynamic process, with established procedures to monitor, reassess, and update security measures to maintain the authorized security state of an information system. The revised security authorization process is designed to be tightly integrated into enterprise architectures and ongoing system-development life-cycle processes. The new process promotes the concept of near real-time risk management, capitalizes on investments in technology including automated support tools, and takes advantage of more than three decades of lessons learned in previous approaches to certification and accreditation.

NIST is requesting comments on the draft by Sept. 30, 2008.

Copies of the initial public draft of SP 800-37 Revision 1 are available from the NIST computer security resource center at http://csrc.nist.gov.

For further information, visit http://csrc.nist.gov/publications/drafts/800-37-Rev1/SP800-37-rev1-IPD.pdf.